Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Analysis ID:	1543577
MD5:	32bbe58d2336cd18c22d221a3836bd50
SHA1:	7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
SHA256:	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
Tags:	AveMariaRATexe
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected AveMaria stealer

Yara detected UACMe UAC Bypass tool

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe" MD5: 32BBE58D2336CD18C22D221A3836BD50)

powershell.exe (PID: 4280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7280 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3192 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 1216 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 4948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 6316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 6300 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

rRQnnfB.exe (PID: 7220 cmdline: C:\Users\user\AppData\Roaming\rRQnnfB.exe MD5: 32BBE58D2336CD18C22D221A3836BD50)

schtasks.exe (PID: 7424 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7468 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7476 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7484 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7492 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "wznne1.duckdns.org", "port": 63196, "Proxy Port": 0}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x27efe8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x2a0008:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x27d7cc:$a2: SMTP Password 0x29e7ec:$a2: SMTP Password 0x27c880:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x29d8a0:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x281d58:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2a2d78:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x27ef38:$a5: for /F "usebackq tokens=" %%A in (" 0x29ff58:$a5: for /F "usebackq tokens=" %%A in (" 0x27d258:$a6: \Torch\User Data\Default\Login Data 0x29e278:$a6: \Torch\User Data\Default\Login Data 0x281e78:$a7: /n:%temp%\ellocnak.xml 0x2a2e98:$a7: /n:%temp%\ellocnak.xml 0x27ddb8:$a8: "os_crypt":{"encrypted_key":" 0x29edd8:$a8: "os_crypt":{"encrypted_key":" 0x281ea8:$a9: Hey I'm Admin 0x2a2ec8:$a9: Hey I'm Admin 0x27d694:$a10: \logins.json 0x29e6b4:$a10: \logins.json 0x27dd30:$a11: Accounts\Account.rec0
0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x870a0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xa80c0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x85884:$a2: SMTP Password 0xa68a4:$a2: SMTP Password 0x84938:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xa5958:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x89e10:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xaae30:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x86ff0:$a5: for /F "usebackq tokens=" %%A in (" 0xa8010:$a5: for /F "usebackq tokens=" %%A in (" 0x85310:$a6: \Torch\User Data\Default\Login Data 0xa6330:$a6: \Torch\User Data\Default\Login Data 0x89f30:$a7: /n:%temp%\ellocnak.xml 0xaaf50:$a7: /n:%temp%\ellocnak.xml 0x85e70:$a8: "os_crypt":{"encrypted_key":" 0xa6e90:$a8: "os_crypt":{"encrypted_key":" 0x89f60:$a9: Hey I'm Admin 0xaaf80:$a9: Hey I'm Admin 0x8574c:$a10: \logins.json 0xa676c:$a10: \logins.json 0x85de8:$a11: Accounts\Account.rec0
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rRQnnfB.exe PID: 7220	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: rRQnnfB.exe PID: 7220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rRQnnfB.exe PID: 7220	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.rRQnnfB.exe.4332420.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
13.2.rRQnnfB.exe.4332420.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
13.2.rRQnnfB.exe.4332420.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x19280:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17a64:$a2: SMTP Password 0x1bff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1c110:$a7: /n:%temp%\ellocnak.xml 0x18050:$a8: "os_crypt":{"encrypted_key":" 0x1c140:$a9: Hey I'm Admin 0x1792c:$a10: \logins.json 0x17fc8:$a11: Accounts\Account.rec0 0x18f58:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
13.2.rRQnnfB.exe.4332420.0.unpack	AveMaria_WarZone	unknown	unknown	0x19280:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19084:$str2: MsgBox.exe 0x192ec:$str4: \System32\cmd.exe 0x18f58:$str6: Ave_Maria 0x187b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17a64:$str8: SMTP Password 0x18784:$str12: \sqlmap.dll 0x1bff0:$str16: Elevation:Administrator!new 0x1c110:$str17: /n:%temp%
13.2.rRQnnfB.exe.4332420.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1bff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
13.2.rRQnnfB.exe.4332420.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1932d:$r1: Classes\Folder\shell\open\command 0x19350:$k1: DelegateExecute
13.2.rRQnnfB.exe.4332420.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x18d74:$s1: RDPClip 0x1944c:$s2: Grabber 0x18f58:$s3: Ave_Maria Stealer OpenSource 0x19058:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1c110:$s6: /n:%temp%\ellocnak.xml 0x1c140:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x19280:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17a64:$a2: SMTP Password 0x1bff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191d0:$a5: for /F "usebackq tokens=*" %%A in (" 0x1c110:$a7: /n:%temp%\ellocnak.xml 0x18050:$a8: "os_crypt":{"encrypted_key":" 0x1c140:$a9: Hey I'm Admin 0x1792c:$a10: \logins.json 0x17fc8:$a11: Accounts\Account.rec0 0x18f58:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	AveMaria_WarZone	unknown	unknown	0x19280:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19084:$str2: MsgBox.exe 0x192ec:$str4: \System32\cmd.exe 0x18f58:$str6: Ave_Maria 0x187b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17a64:$str8: SMTP Password 0x18784:$str12: \sqlmap.dll 0x1bff0:$str16: Elevation:Administrator!new 0x1c110:$str17: /n:%temp%
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1bff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1932d:$r1: Classes\Folder\shell\open\command 0x19350:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x18d74:$s1: RDPClip 0x1944c:$s2: Grabber 0x18f58:$s3: Ave_Maria Stealer OpenSource 0x19058:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1c110:$s6: /n:%temp%\ellocnak.xml 0x1c140:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3bca0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x3a484:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x39538:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3ea10:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=" %%A in (" 0x3bbf0:$a5: for /F "usebackq tokens=" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x39f10:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x3eb30:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x3aa70:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x3eb60:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x3a34c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18b30:$a1: \Opera Software\Opera Stable\Login Data 0x39b50:$a1: \Opera Software\Opera Stable\Login Data 0x18e58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39e78:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x186e0:$a3: \Google\Chrome\User Data\Default\Login Data 0x39700:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1ac80:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3bca0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1aa84:$str2: MsgBox.exe 0x3baa4:$str2: MsgBox.exe 0x1acec:$str4: \System32\cmd.exe 0x3bd0c:$str4: \System32\cmd.exe 0x1a958:$str6: Ave_Maria 0x3b978:$str6: Ave_Maria 0x1a1b8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x3b1d8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19464:$str8: SMTP Password 0x3a484:$str8: SMTP Password 0x186e0:$str11: \Google\Chrome\User Data\Default\Login Data 0x39700:$str11: \Google\Chrome\User Data\Default\Login Data 0x1a184:$str12: \sqlmap.dll 0x3b1a4:$str12: \sqlmap.dll 0x1d9f0:$str16: Elevation:Administrator!new 0x3ea10:$str16: Elevation:Administrator!new 0x1db10:$str17: /n:%temp% 0x3eb30:$str17: /n:%temp%
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3ea10:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x3bd4d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute 0x3bd70:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x3b794:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x3be6c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x3b978:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x3ba78:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x3eb30:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin 0x3eb60:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x3bec8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x3905b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x39254:$s4: LdrLoadDll 0x17abc:$v6: start 0x38adc:$v6: start
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x7d8a0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x9e8c0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7c084:$a2: SMTP Password 0x9d0a4:$a2: SMTP Password 0x7b138:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x9c158:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x80610:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xa1630:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x7d7f0:$a5: for /F "usebackq tokens=" %%A in (" 0x9e810:$a5: for /F "usebackq tokens=" %%A in (" 0x7bb10:$a6: \Torch\User Data\Default\Login Data 0x9cb30:$a6: \Torch\User Data\Default\Login Data 0x80730:$a7: /n:%temp%\ellocnak.xml 0xa1750:$a7: /n:%temp%\ellocnak.xml 0x7c670:$a8: "os_crypt":{"encrypted_key":" 0x9d690:$a8: "os_crypt":{"encrypted_key":" 0x80760:$a9: Hey I'm Admin 0xa1780:$a9: Hey I'm Admin 0x7bf4c:$a10: \logins.json 0x9cf6c:$a10: \logins.json 0x7c5e8:$a11: Accounts\Account.rec0
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7b750:$a1: \Opera Software\Opera Stable\Login Data 0x9c770:$a1: \Opera Software\Opera Stable\Login Data 0x7ba78:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9ca98:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7b300:$a3: \Google\Chrome\User Data\Default\Login Data 0x9c320:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x7d94d:$r1: Classes\Folder\shell\open\command 0x9e96d:$r1: Classes\Folder\shell\open\command 0x7d970:$k1: DelegateExecute 0x9e990:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x7d394:$s1: RDPClip 0x9e3b4:$s1: RDPClip 0x7da6c:$s2: Grabber 0x9ea8c:$s2: Grabber 0x7d578:$s3: Ave_Maria Stealer OpenSource 0x9e598:$s3: Ave_Maria Stealer OpenSource 0x7d678:$s4: \MidgetPorn\workspace\MsgBox.exe 0x9e698:$s4: \MidgetPorn\workspace\MsgBox.exe 0x80730:$s6: /n:%temp%\ellocnak.xml 0xa1750:$s6: /n:%temp%\ellocnak.xml 0x80760:$s7: Hey I'm Admin 0xa1780:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x7dac8:$pwsh: powershell 0x9eae8:$pwsh: powershell 0x7ac5b:$s2: User-Agent: 0x9bc7b:$s2: User-Agent: 0x7ae54:$s4: LdrLoadDll 0x9be74:$s4: LdrLoadDll 0x7a6dc:$v6: start 0x9b6fc:$v6: start
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0xe04c0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1014e0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xdeca4:$a2: SMTP Password 0xffcc4:$a2: SMTP Password 0xddd58:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xfed78:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xe3230:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x104250:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xe0410:$a5: for /F "usebackq tokens=" %%A in (" 0x101430:$a5: for /F "usebackq tokens=" %%A in (" 0xde730:$a6: \Torch\User Data\Default\Login Data 0xff750:$a6: \Torch\User Data\Default\Login Data 0xe3350:$a7: /n:%temp%\ellocnak.xml 0x104370:$a7: /n:%temp%\ellocnak.xml 0xdf290:$a8: "os_crypt":{"encrypted_key":" 0x1002b0:$a8: "os_crypt":{"encrypted_key":" 0xe3380:$a9: Hey I'm Admin 0x1043a0:$a9: Hey I'm Admin 0xdeb6c:$a10: \logins.json 0xffb8c:$a10: \logins.json 0xdf208:$a11: Accounts\Account.rec0
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0xe056d:$r1: Classes\Folder\shell\open\command 0x10158d:$r1: Classes\Folder\shell\open\command 0xe0590:$k1: DelegateExecute 0x1015b0:$k1: DelegateExecute
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0xdffb4:$s1: RDPClip 0x100fd4:$s1: RDPClip 0xe068c:$s2: Grabber 0x1016ac:$s2: Grabber 0xe0198:$s3: Ave_Maria Stealer OpenSource 0x1011b8:$s3: Ave_Maria Stealer OpenSource 0xe0298:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1012b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0xe3350:$s6: /n:%temp%\ellocnak.xml 0x104370:$s6: /n:%temp%\ellocnak.xml 0xe3380:$s7: Hey I'm Admin 0x1043a0:$s7: Hey I'm Admin
0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0xe06e8:$pwsh: powershell 0x101708:$pwsh: powershell 0xdd87b:$s2: User-Agent: 0xfe89b:$s2: User-Agent: 0xdda74:$s4: LdrLoadDll 0xfea94:$s4: LdrLoadDll 0xdd2fc:$v6: start 0xfe31c:$v6: start
13.2.rRQnnfB.exe.434f090.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
13.2.rRQnnfB.exe.434f090.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rRQnnfB.exe.434f090.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
13.2.rRQnnfB.exe.434f090.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1f030:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1d814:$a2: SMTP Password 0x1c8c8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x21da0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1ef80:$a5: for /F "usebackq tokens=*" %%A in (" 0x1d2a0:$a6: \Torch\User Data\Default\Login Data 0xea0:$a7: /n:%temp%\ellocnak.xml 0x21ec0:$a7: /n:%temp%\ellocnak.xml 0x1de00:$a8: "os_crypt":{"encrypted_key":" 0xed0:$a9: Hey I'm Admin 0x21ef0:$a9: Hey I'm Admin 0x1d6dc:$a10: \logins.json 0x1dd78:$a11: Accounts\Account.rec0 0x1ed08:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
13.2.rRQnnfB.exe.434f090.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1f0dd:$r1: Classes\Folder\shell\open\command 0x1f100:$k1: DelegateExecute
13.2.rRQnnfB.exe.434f090.1.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1eb24:$s1: RDPClip 0x1f1fc:$s2: Grabber 0x1ed08:$s3: Ave_Maria Stealer OpenSource 0x1ee08:$s4: \MidgetPorn\workspace\MsgBox.exe 0xea0:$s6: /n:%temp%\ellocnak.xml 0x21ec0:$s6: /n:%temp%\ellocnak.xml 0xed0:$s7: Hey I'm Admin 0x21ef0:$s7: Hey I'm Admin
13.2.rRQnnfB.exe.434f090.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1f258:$pwsh: powershell 0x1c3eb:$s2: User-Agent: 0x1c5e4:$s4: LdrLoadDll 0x1be6c:$v6: start
13.2.rRQnnfB.exe.4332420.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
13.2.rRQnnfB.exe.4332420.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.rRQnnfB.exe.4332420.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
13.2.rRQnnfB.exe.4332420.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1ac80:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3bca0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19464:$a2: SMTP Password 0x3a484:$a2: SMTP Password 0x18518:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x39538:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x1d9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3ea10:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1abd0:$a5: for /F "usebackq tokens=" %%A in (" 0x3bbf0:$a5: for /F "usebackq tokens=" %%A in (" 0x18ef0:$a6: \Torch\User Data\Default\Login Data 0x39f10:$a6: \Torch\User Data\Default\Login Data 0x1db10:$a7: /n:%temp%\ellocnak.xml 0x3eb30:$a7: /n:%temp%\ellocnak.xml 0x19a50:$a8: "os_crypt":{"encrypted_key":" 0x3aa70:$a8: "os_crypt":{"encrypted_key":" 0x1db40:$a9: Hey I'm Admin 0x3eb60:$a9: Hey I'm Admin 0x1932c:$a10: \logins.json 0x3a34c:$a10: \logins.json 0x199c8:$a11: Accounts\Account.rec0
13.2.rRQnnfB.exe.4332420.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1ad2d:$r1: Classes\Folder\shell\open\command 0x3bd4d:$r1: Classes\Folder\shell\open\command 0x1ad50:$k1: DelegateExecute 0x3bd70:$k1: DelegateExecute
13.2.rRQnnfB.exe.4332420.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1a774:$s1: RDPClip 0x3b794:$s1: RDPClip 0x1ae4c:$s2: Grabber 0x3be6c:$s2: Grabber 0x1a958:$s3: Ave_Maria Stealer OpenSource 0x3b978:$s3: Ave_Maria Stealer OpenSource 0x1aa58:$s4: \MidgetPorn\workspace\MsgBox.exe 0x3ba78:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1db10:$s6: /n:%temp%\ellocnak.xml 0x3eb30:$s6: /n:%temp%\ellocnak.xml 0x1db40:$s7: Hey I'm Admin 0x3eb60:$s7: Hey I'm Admin
13.2.rRQnnfB.exe.4332420.0.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x1aea8:$pwsh: powershell 0x3bec8:$pwsh: powershell 0x1803b:$s2: User-Agent: 0x3905b:$s2: User-Agent: 0x18234:$s4: LdrLoadDll 0x39254:$s4: LdrLoadDll 0x17abc:$v6: start 0x38adc:$v6: start
Click to see the 48 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ParentProcessId: 6896, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", ProcessId: 4280, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\rRQnnfB.exe, ParentImage: C:\Users\user\AppData\Roaming\rRQnnfB.exe, ParentProcessId: 7220, ParentProcessName: rRQnnfB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp", ProcessId: 7424, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ParentProcessId: 6896, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp", ProcessId: 3192, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ParentProcessId: 6896, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", ProcessId: 4280, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ParentProcessId: 6896, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp", ProcessId: 3192, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "wznne1.duckdns.org", "port": 63196, "Proxy Port": 0}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Virustotal: Detection: 39%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Virustotal: Detection: 39%			Perma Link

Yara detected AveMaria stealer

Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Joe Sandbox ML: detected

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rRQnnfB.exe PID: 7220, type: MEMORYSTR

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: fFdw.pdb source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr
Source:	Binary string: fFdw.pdbSHA256TFB source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: wznne1.duckdns.org

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1869611688.000000000279F000.00000004.00000800.00020000.00000000.sdmp, rRQnnfB.exe, 0000000D.00000002.1918659052.0000000002A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883579784.0000000005070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_886a90b9-2

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08706780 NtQueryInformationProcess,	0_2_08706780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08706CA0 NtQueryInformationProcess,	0_2_08706CA0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB6780 NtQueryInformationProcess,	13_2_06CB6780
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB6C58 NtQueryInformationProcess,	13_2_06CB6C58

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_0088EF04	0_2_0088EF04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_06F573B8	0_2_06F573B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_06F51EA8	0_2_06F51EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_06F51E98	0_2_06F51E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_06F515D0	0_2_06F515D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_06F51198	0_2_06F51198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_087028D0	0_2_087028D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_087068A4	0_2_087068A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08703BA0	0_2_08703BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08708C20	0_2_08708C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08700040	0_2_08700040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_0870F4FA	0_2_0870F4FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08705870	0_2_08705870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_087028C0	0_2_087028C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08705880	0_2_08705880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_0870F980	0_2_0870F980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08703B90	0_2_08703B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08708C10	0_2_08708C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08705CB8	0_2_08705CB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08706E28	0_2_08706E28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08708EB0	0_2_08708EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08708EA0	0_2_08708EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Code function: 0_2_08706178	0_2_08706178
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_0281EF04	13_2_0281EF04
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_02986568	13_2_02986568
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_02981198	13_2_02981198
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_02981EA8	13_2_02981EA8
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_02981EA3	13_2_02981EA3
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_029815D0	13_2_029815D0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_04FA7768	13_2_04FA7768
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_04FA0040	13_2_04FA0040
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_04FA001C	13_2_04FA001C
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_04FA7740	13_2_04FA7740
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB0040	13_2_06CB0040
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB8C20	13_2_06CB8C20
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB3BA0	13_2_06CB3BA0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB28D0	13_2_06CB28D0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB68A4	13_2_06CB68A4
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBF5A7	13_2_06CBF5A7
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB6178	13_2_06CB6178
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB8EA0	13_2_06CB8EA0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB8EB0	13_2_06CB8EB0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB6E28	13_2_06CB6E28
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB5CB8	13_2_06CB5CB8
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB8C10	13_2_06CB8C10
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB3B90	13_2_06CB3B90
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB28C0	13_2_06CB28C0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB5880	13_2_06CB5880
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB2898	13_2_06CB2898
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CB5870	13_2_06CB5870
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBF9E0	13_2_06CBF9E0

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1868545597.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1884778433.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000000.1821904359.0000000000266000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefFdw.exe( vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Binary or memory string: OriginalFilenamefFdw.exe( vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rRQnnfB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CVeAIRqKVAUjENZeFc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CVeAIRqKVAUjENZeFc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CVeAIRqKVAUjENZeFc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@35/15@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

File created: C:\Users\user\AppData\Roaming\rRQnnfB.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Mutant created: \Sessions\1\BaseNamedObjects\BZvfDvpVAjvktJhjnBq
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE51C.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Virustotal: Detection: 39%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rRQnnfB.exe C:\Users\user\AppData\Roaming\rRQnnfB.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: fFdw.pdb source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr
Source:	Binary string: fFdw.pdbSHA256TFB source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	.Net Code: WFnrnxulDq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.86d0000.5.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	.Net Code: WFnrnxulDq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.35c0b90.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	.Net Code: WFnrnxulDq System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_02984982 pushad ; retf	13_2_02984983
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_029857A1 pushfd ; retf 0006h	13_2_029857A2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_02985760 pushfd ; retf 0006h	13_2_02985762
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_04FA5A52 push edx; ret	13_2_04FA5A58
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_04FA5A32 push edx; ret	13_2_04FA5A33
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE649 push esi; retf 0006h	13_2_06CBE64A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE7A9 push edi; retf 0006h	13_2_06CBE7AA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE7B1 push edi; retf 0006h	13_2_06CBE7B2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE468 push ebp; retf 0006h	13_2_06CBE46A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE5C0 push esi; retf 0006h	13_2_06CBE5C2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE049 push edx; retf 0006h	13_2_06CBE04A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE071 push edx; retf 0006h	13_2_06CBE072
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE1B1 push ebx; retf 0006h	13_2_06CBE1B2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE178 push ebx; retf 0006h	13_2_06CBE17A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE101 push ebx; retf 0006h	13_2_06CBE102
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBDED9 push ecx; retf 0006h	13_2_06CBDEDA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBDE68 push ecx; retf 0006h	13_2_06CBDE6A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBDFB8 push edx; retf 0006h	13_2_06CBDFBA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBDF4F push ecx; retf 0006h	13_2_06CBDF52
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBDCB9 push eax; retf 0006h	13_2_06CBDCBA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBED90 pushad ; retf 0006h	13_2_06CBED92
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Code function: 13_2_06CBE84F push edi; retf 0006h	13_2_06CBE852

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Static PE information: section name: .text entropy: 7.890111172644623
Source: rRQnnfB.exe.0.dr	Static PE information: section name: .text entropy: 7.890111172644623

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, wRS7JdEQI6RiJa9NhS.cs	High entropy of concatenated method names: 'qGsqacsCfa', 'AonqycRv3C', 'tVXFxbJhgY', 'lAxFQtROi7', 'tbEFfCUhV9', 'M7rFY0hTdP', 'omUFCwpve7', 'DwvFE4vfDq', 'oHMFmPIHgL', 'N9DFhPow6L'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, tt6vKJoVZYcrI4oodB.cs	High entropy of concatenated method names: 'fnW9jDgwWr', 'Rol9XXhdMy', 'gxD9rxRkin', 'iZq9Zu9I6u', 'Rtj9dCSlyu', 'wqs9q8KF0i', 'Xw491VDD5J', 'sbxD3JhUA6', 'LwSDoRe3b7', 'CBuDKoHiNJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, SlJvIeZNIyCwQr5pjh.cs	High entropy of concatenated method names: 'OCxnxMceH', 'tCeMKGdXv', 'r6JGxNOn2', 'dvyyPW5nS', 'VrE7kfmqc', 'rT1wFSFpg', 'ldoOGCJpscCShvlEiB', 'q2Y7oZ6yyIVnHsEqIV', 'a3dDvv0XA', 'HV7lKJ14W'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, cAadsMdP0P3JYQkDOD.cs	High entropy of concatenated method names: 'xgM1BHOu5j', 'zQP1dvZiNj', 'DwS1qRunYR', 'dj11TYf3Jn', 'ReN12uAVD5', 'pfBqWa94ga', 'b48qt3xVMX', 'KZ9q3Iu0SC', 'sCWqoZrA7H', 'cgaqK6rSPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, TQtneES6krZtUT94TX.cs	High entropy of concatenated method names: 'ToString', 'VRosH0FTyp', 'rg1sSZxsr4', 'fEjsxUR4mW', 'wpxsQL631s', 'ALtsfMBk8M', 'MyxsYvEObE', 'QQjsCnSfnh', 'Q7isE48Hn4', 'Af9smVBvFS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, s6ncy1Lw04bCpVC7if.cs	High entropy of concatenated method names: 'Dispose', 'oNSjKA5elf', 'XlovS6YUkF', 'itW55sLOdM', 'h4Lj8cBljy', 'DuGjz5GgxS', 'ProcessDialogKey', 'kWovcuBdgh', 'rr5vjisbjM', 'iUfvvKAGYK'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, oaa30fNJAoUh5TUfeuk.cs	High entropy of concatenated method names: 'Pf996KyViH', 'yfd9ikf16g', 'DhX9nWTCM5', 'YJ79M5Emnb', 'Tmm9anHg0w', 'yUT9GRO5aQ', 'W8j9y5GXK2', 'SxX9N8jNAQ', 'Re397XTGyK', 'KJE9wvEL2t'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, NXXgJGNZk0xKRQAS8QG.cs	High entropy of concatenated method names: 'Sofl6qPXE1', 'TgpliIg4B1', 'TBKlnJU3AU', 'eRbItx8zgOZywHM7d3r', 'bNWcyMMbpQGVakAUR7y', 'S4ijp9M4EsdKDAKQDiN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, Fvn8m7tuOPdvJ4jDnZ.cs	High entropy of concatenated method names: 'wEHT6iyD3M', 'pViTiPZRa5', 'CuwTn6KKZt', 'wRxTMmyUxk', 'bHaTannbOK', 'HU3TGnWPLV', 'eucTyxqB8X', 'KcsTNBIkgP', 'En0T7yuVRN', 'qLqTwNTaIU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, yR88jQMAKhKEMBS7Qu.cs	High entropy of concatenated method names: 'IHqRhH8bkF', 'oScRkjoqAO', 'WQNRpEeLxX', 'ltXRJMYboi', 'A8aRSWomNG', 'vJhRx61oo5', 'InIRQEV7JH', 'hxwRfTLoOh', 'o1kRYZT8kJ', 'ljHRCdKuv3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, oeey8gH5TTgCq9FdMc.cs	High entropy of concatenated method names: 'C6HjTs83ZJ', 'U4Ej22xPyc', 'VinjPejMWV', 'E8uj4Sb2b2', 'IigjRX8Py7', 'ckRjs4pxBQ', 'PEJqXgPviLpQLeEbQb', 'WXJfRneRkWoWEb4vHN', 'nmBjjGLQpQ', 'myNjXDPJ0s'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, v665J5NNjabfWwhwPp6.cs	High entropy of concatenated method names: 'ToString', 'XWAlXwMrYG', 'jTYlrqhljG', 'wTVlBbIV75', 'x0rlZAuktm', 'skWld6Bnei', 'UkVlFIKdkL', 'sPflqjqo31', 'BBknmk8ApeuCE73tXjN', 'M0VEtA8nZPTChFjRxBO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	High entropy of concatenated method names: 'tvyXBYGpP8', 'gWBXZ3CUsX', 'hLpXdMQLgv', 'Is4XFUFeHs', 'HHWXqKUsZd', 'S4pX1cWpyF', 'prmXT0rHoK', 'hjGX2yUBhh', 'JbDXVZmfgm', 'obpXP0ChjW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, NP4J8S8hP8gr8Qji8u.cs	High entropy of concatenated method names: 'hZiDgeCHsX', 'DFjDSYPckD', 'BTnDxHobBk', 'haVDQqX7uI', 'QHIDpiu4en', 'egDDfYQMBC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, ByvjEchBSQcyD9Vy3C.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Gl2vKdo5R9', 'FIFv8lcAXO', 'DxtvzKsQsy', 'jJNXcbF2Rs', 'uRDXjD7EE7', 'RWfXv3tmk1', 'zkPXXUb9mB', 'ukP3BB4M0QQHdO9uZxw'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, i0aMmgNuZExrOY05mT6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWslpFU3hs', 'DfnlJRGkRa', 'Lcklue5d8o', 'cjVlbcyZka', 'UaGlW9XlcY', 'yUkltOomeR', 'k5el3ISGuE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, b1ylFLKTXKNi2gtlJZ.cs	High entropy of concatenated method names: 'M9wTZ3mjFH', 'G37TFRk3Ew', 'xV5T1mkme2', 'lbc18KuF7i', 'WNa1zdimet', 'jhDTcTr4lZ', 'LINTjxt5qg', 'djFTv32CZk', 'mJsTX1UX2C', 'CkKTrbbKe6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, cA9TsJkCtNpsbMUBWc.cs	High entropy of concatenated method names: 'gDeFMxHDg7', 'tZNFGFYYuG', 'pQfFNQLOOP', 'dpmF7M5Io2', 'zTSFRtAR1E', 'pARFs8gcCZ', 'fOKFUahZfY', 'lphFDGNDv8', 'GnYF9MBVK2', 'uPnFlKeLrm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CVeAIRqKVAUjENZeFc.cs	High entropy of concatenated method names: 'YJRdpxy1NO', 'USrdJsEI7v', 'tCVdu794ZX', 'dnHdbPcqSV', 'CmvdWgnUIR', 'W5SdtbkBVk', 'IRYd3nb0I8', 'zHUdoo2DEd', 'yqgdKc1kvM', 'mcWd8VrqyV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, Jo4VD4njEJmiQrM7K2.cs	High entropy of concatenated method names: 'qRvkmtogWGstKeCOtcF', 'qVZlTAoLLquOPKwisnu', 'U8h1D25St5', 'i7m19Kryb4', 'Rn11lLF1in', 'c8s0pAoD4UJMfqDuFId', 'Elhuv2oxYbLd2IMTHeR'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, mj9pkKDWJbxAigqQ8p.cs	High entropy of concatenated method names: 'qrEDZY2yGp', 'ziaDdVdsK0', 'aReDFfdEqL', 'A7uDqG3cMG', 'Q4dD1SGVPj', 'WfQDTLrjvq', 'cLbD2RiHX1', 'qu3DV2UtU9', 'YZ4DPobOqM', 'woQD4R8BD3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, RZUQGYQDOgsRHRAqv4.cs	High entropy of concatenated method names: 'u0vUoIiad5', 'JrbU8sfZEj', 've0Dc5jGF6', 'PwxDjOKoAO', 'Nv4UHwrak6', 'aVFUk1voNA', 'KcTUL7Y7VZ', 'j7TUpBD9T8', 'iyPUJwKohc', 'VfTUuB6RW5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, Gi4mvvUS94GkjKbif0.cs	High entropy of concatenated method names: 'jLFANL9Bcu', 'b0eA7lDbfw', 'SilAgddMd5', 'I2HASp1hBL', 'uBAAQexT4I', 'NBlAfKaRUx', 'BrLAC4xqLg', 'dQyAEgVnmD', 'TkOAhKv7IA', 'UHEAHLKm0D'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, wRS7JdEQI6RiJa9NhS.cs	High entropy of concatenated method names: 'qGsqacsCfa', 'AonqycRv3C', 'tVXFxbJhgY', 'lAxFQtROi7', 'tbEFfCUhV9', 'M7rFY0hTdP', 'omUFCwpve7', 'DwvFE4vfDq', 'oHMFmPIHgL', 'N9DFhPow6L'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, tt6vKJoVZYcrI4oodB.cs	High entropy of concatenated method names: 'fnW9jDgwWr', 'Rol9XXhdMy', 'gxD9rxRkin', 'iZq9Zu9I6u', 'Rtj9dCSlyu', 'wqs9q8KF0i', 'Xw491VDD5J', 'sbxD3JhUA6', 'LwSDoRe3b7', 'CBuDKoHiNJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, SlJvIeZNIyCwQr5pjh.cs	High entropy of concatenated method names: 'OCxnxMceH', 'tCeMKGdXv', 'r6JGxNOn2', 'dvyyPW5nS', 'VrE7kfmqc', 'rT1wFSFpg', 'ldoOGCJpscCShvlEiB', 'q2Y7oZ6yyIVnHsEqIV', 'a3dDvv0XA', 'HV7lKJ14W'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, cAadsMdP0P3JYQkDOD.cs	High entropy of concatenated method names: 'xgM1BHOu5j', 'zQP1dvZiNj', 'DwS1qRunYR', 'dj11TYf3Jn', 'ReN12uAVD5', 'pfBqWa94ga', 'b48qt3xVMX', 'KZ9q3Iu0SC', 'sCWqoZrA7H', 'cgaqK6rSPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, TQtneES6krZtUT94TX.cs	High entropy of concatenated method names: 'ToString', 'VRosH0FTyp', 'rg1sSZxsr4', 'fEjsxUR4mW', 'wpxsQL631s', 'ALtsfMBk8M', 'MyxsYvEObE', 'QQjsCnSfnh', 'Q7isE48Hn4', 'Af9smVBvFS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, s6ncy1Lw04bCpVC7if.cs	High entropy of concatenated method names: 'Dispose', 'oNSjKA5elf', 'XlovS6YUkF', 'itW55sLOdM', 'h4Lj8cBljy', 'DuGjz5GgxS', 'ProcessDialogKey', 'kWovcuBdgh', 'rr5vjisbjM', 'iUfvvKAGYK'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, oaa30fNJAoUh5TUfeuk.cs	High entropy of concatenated method names: 'Pf996KyViH', 'yfd9ikf16g', 'DhX9nWTCM5', 'YJ79M5Emnb', 'Tmm9anHg0w', 'yUT9GRO5aQ', 'W8j9y5GXK2', 'SxX9N8jNAQ', 'Re397XTGyK', 'KJE9wvEL2t'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, NXXgJGNZk0xKRQAS8QG.cs	High entropy of concatenated method names: 'Sofl6qPXE1', 'TgpliIg4B1', 'TBKlnJU3AU', 'eRbItx8zgOZywHM7d3r', 'bNWcyMMbpQGVakAUR7y', 'S4ijp9M4EsdKDAKQDiN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, Fvn8m7tuOPdvJ4jDnZ.cs	High entropy of concatenated method names: 'wEHT6iyD3M', 'pViTiPZRa5', 'CuwTn6KKZt', 'wRxTMmyUxk', 'bHaTannbOK', 'HU3TGnWPLV', 'eucTyxqB8X', 'KcsTNBIkgP', 'En0T7yuVRN', 'qLqTwNTaIU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, yR88jQMAKhKEMBS7Qu.cs	High entropy of concatenated method names: 'IHqRhH8bkF', 'oScRkjoqAO', 'WQNRpEeLxX', 'ltXRJMYboi', 'A8aRSWomNG', 'vJhRx61oo5', 'InIRQEV7JH', 'hxwRfTLoOh', 'o1kRYZT8kJ', 'ljHRCdKuv3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, oeey8gH5TTgCq9FdMc.cs	High entropy of concatenated method names: 'C6HjTs83ZJ', 'U4Ej22xPyc', 'VinjPejMWV', 'E8uj4Sb2b2', 'IigjRX8Py7', 'ckRjs4pxBQ', 'PEJqXgPviLpQLeEbQb', 'WXJfRneRkWoWEb4vHN', 'nmBjjGLQpQ', 'myNjXDPJ0s'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, v665J5NNjabfWwhwPp6.cs	High entropy of concatenated method names: 'ToString', 'XWAlXwMrYG', 'jTYlrqhljG', 'wTVlBbIV75', 'x0rlZAuktm', 'skWld6Bnei', 'UkVlFIKdkL', 'sPflqjqo31', 'BBknmk8ApeuCE73tXjN', 'M0VEtA8nZPTChFjRxBO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	High entropy of concatenated method names: 'tvyXBYGpP8', 'gWBXZ3CUsX', 'hLpXdMQLgv', 'Is4XFUFeHs', 'HHWXqKUsZd', 'S4pX1cWpyF', 'prmXT0rHoK', 'hjGX2yUBhh', 'JbDXVZmfgm', 'obpXP0ChjW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, NP4J8S8hP8gr8Qji8u.cs	High entropy of concatenated method names: 'hZiDgeCHsX', 'DFjDSYPckD', 'BTnDxHobBk', 'haVDQqX7uI', 'QHIDpiu4en', 'egDDfYQMBC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, ByvjEchBSQcyD9Vy3C.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Gl2vKdo5R9', 'FIFv8lcAXO', 'DxtvzKsQsy', 'jJNXcbF2Rs', 'uRDXjD7EE7', 'RWfXv3tmk1', 'zkPXXUb9mB', 'ukP3BB4M0QQHdO9uZxw'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, i0aMmgNuZExrOY05mT6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWslpFU3hs', 'DfnlJRGkRa', 'Lcklue5d8o', 'cjVlbcyZka', 'UaGlW9XlcY', 'yUkltOomeR', 'k5el3ISGuE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, b1ylFLKTXKNi2gtlJZ.cs	High entropy of concatenated method names: 'M9wTZ3mjFH', 'G37TFRk3Ew', 'xV5T1mkme2', 'lbc18KuF7i', 'WNa1zdimet', 'jhDTcTr4lZ', 'LINTjxt5qg', 'djFTv32CZk', 'mJsTX1UX2C', 'CkKTrbbKe6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, cA9TsJkCtNpsbMUBWc.cs	High entropy of concatenated method names: 'gDeFMxHDg7', 'tZNFGFYYuG', 'pQfFNQLOOP', 'dpmF7M5Io2', 'zTSFRtAR1E', 'pARFs8gcCZ', 'fOKFUahZfY', 'lphFDGNDv8', 'GnYF9MBVK2', 'uPnFlKeLrm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CVeAIRqKVAUjENZeFc.cs	High entropy of concatenated method names: 'YJRdpxy1NO', 'USrdJsEI7v', 'tCVdu794ZX', 'dnHdbPcqSV', 'CmvdWgnUIR', 'W5SdtbkBVk', 'IRYd3nb0I8', 'zHUdoo2DEd', 'yqgdKc1kvM', 'mcWd8VrqyV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, Jo4VD4njEJmiQrM7K2.cs	High entropy of concatenated method names: 'qRvkmtogWGstKeCOtcF', 'qVZlTAoLLquOPKwisnu', 'U8h1D25St5', 'i7m19Kryb4', 'Rn11lLF1in', 'c8s0pAoD4UJMfqDuFId', 'Elhuv2oxYbLd2IMTHeR'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, mj9pkKDWJbxAigqQ8p.cs	High entropy of concatenated method names: 'qrEDZY2yGp', 'ziaDdVdsK0', 'aReDFfdEqL', 'A7uDqG3cMG', 'Q4dD1SGVPj', 'WfQDTLrjvq', 'cLbD2RiHX1', 'qu3DV2UtU9', 'YZ4DPobOqM', 'woQD4R8BD3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, RZUQGYQDOgsRHRAqv4.cs	High entropy of concatenated method names: 'u0vUoIiad5', 'JrbU8sfZEj', 've0Dc5jGF6', 'PwxDjOKoAO', 'Nv4UHwrak6', 'aVFUk1voNA', 'KcTUL7Y7VZ', 'j7TUpBD9T8', 'iyPUJwKohc', 'VfTUuB6RW5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, Gi4mvvUS94GkjKbif0.cs	High entropy of concatenated method names: 'jLFANL9Bcu', 'b0eA7lDbfw', 'SilAgddMd5', 'I2HASp1hBL', 'uBAAQexT4I', 'NBlAfKaRUx', 'BrLAC4xqLg', 'dQyAEgVnmD', 'TkOAhKv7IA', 'UHEAHLKm0D'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, wRS7JdEQI6RiJa9NhS.cs	High entropy of concatenated method names: 'qGsqacsCfa', 'AonqycRv3C', 'tVXFxbJhgY', 'lAxFQtROi7', 'tbEFfCUhV9', 'M7rFY0hTdP', 'omUFCwpve7', 'DwvFE4vfDq', 'oHMFmPIHgL', 'N9DFhPow6L'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, tt6vKJoVZYcrI4oodB.cs	High entropy of concatenated method names: 'fnW9jDgwWr', 'Rol9XXhdMy', 'gxD9rxRkin', 'iZq9Zu9I6u', 'Rtj9dCSlyu', 'wqs9q8KF0i', 'Xw491VDD5J', 'sbxD3JhUA6', 'LwSDoRe3b7', 'CBuDKoHiNJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, SlJvIeZNIyCwQr5pjh.cs	High entropy of concatenated method names: 'OCxnxMceH', 'tCeMKGdXv', 'r6JGxNOn2', 'dvyyPW5nS', 'VrE7kfmqc', 'rT1wFSFpg', 'ldoOGCJpscCShvlEiB', 'q2Y7oZ6yyIVnHsEqIV', 'a3dDvv0XA', 'HV7lKJ14W'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, cAadsMdP0P3JYQkDOD.cs	High entropy of concatenated method names: 'xgM1BHOu5j', 'zQP1dvZiNj', 'DwS1qRunYR', 'dj11TYf3Jn', 'ReN12uAVD5', 'pfBqWa94ga', 'b48qt3xVMX', 'KZ9q3Iu0SC', 'sCWqoZrA7H', 'cgaqK6rSPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, TQtneES6krZtUT94TX.cs	High entropy of concatenated method names: 'ToString', 'VRosH0FTyp', 'rg1sSZxsr4', 'fEjsxUR4mW', 'wpxsQL631s', 'ALtsfMBk8M', 'MyxsYvEObE', 'QQjsCnSfnh', 'Q7isE48Hn4', 'Af9smVBvFS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, s6ncy1Lw04bCpVC7if.cs	High entropy of concatenated method names: 'Dispose', 'oNSjKA5elf', 'XlovS6YUkF', 'itW55sLOdM', 'h4Lj8cBljy', 'DuGjz5GgxS', 'ProcessDialogKey', 'kWovcuBdgh', 'rr5vjisbjM', 'iUfvvKAGYK'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, oaa30fNJAoUh5TUfeuk.cs	High entropy of concatenated method names: 'Pf996KyViH', 'yfd9ikf16g', 'DhX9nWTCM5', 'YJ79M5Emnb', 'Tmm9anHg0w', 'yUT9GRO5aQ', 'W8j9y5GXK2', 'SxX9N8jNAQ', 'Re397XTGyK', 'KJE9wvEL2t'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, NXXgJGNZk0xKRQAS8QG.cs	High entropy of concatenated method names: 'Sofl6qPXE1', 'TgpliIg4B1', 'TBKlnJU3AU', 'eRbItx8zgOZywHM7d3r', 'bNWcyMMbpQGVakAUR7y', 'S4ijp9M4EsdKDAKQDiN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, Fvn8m7tuOPdvJ4jDnZ.cs	High entropy of concatenated method names: 'wEHT6iyD3M', 'pViTiPZRa5', 'CuwTn6KKZt', 'wRxTMmyUxk', 'bHaTannbOK', 'HU3TGnWPLV', 'eucTyxqB8X', 'KcsTNBIkgP', 'En0T7yuVRN', 'qLqTwNTaIU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, yR88jQMAKhKEMBS7Qu.cs	High entropy of concatenated method names: 'IHqRhH8bkF', 'oScRkjoqAO', 'WQNRpEeLxX', 'ltXRJMYboi', 'A8aRSWomNG', 'vJhRx61oo5', 'InIRQEV7JH', 'hxwRfTLoOh', 'o1kRYZT8kJ', 'ljHRCdKuv3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, oeey8gH5TTgCq9FdMc.cs	High entropy of concatenated method names: 'C6HjTs83ZJ', 'U4Ej22xPyc', 'VinjPejMWV', 'E8uj4Sb2b2', 'IigjRX8Py7', 'ckRjs4pxBQ', 'PEJqXgPviLpQLeEbQb', 'WXJfRneRkWoWEb4vHN', 'nmBjjGLQpQ', 'myNjXDPJ0s'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, v665J5NNjabfWwhwPp6.cs	High entropy of concatenated method names: 'ToString', 'XWAlXwMrYG', 'jTYlrqhljG', 'wTVlBbIV75', 'x0rlZAuktm', 'skWld6Bnei', 'UkVlFIKdkL', 'sPflqjqo31', 'BBknmk8ApeuCE73tXjN', 'M0VEtA8nZPTChFjRxBO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs	High entropy of concatenated method names: 'tvyXBYGpP8', 'gWBXZ3CUsX', 'hLpXdMQLgv', 'Is4XFUFeHs', 'HHWXqKUsZd', 'S4pX1cWpyF', 'prmXT0rHoK', 'hjGX2yUBhh', 'JbDXVZmfgm', 'obpXP0ChjW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, NP4J8S8hP8gr8Qji8u.cs	High entropy of concatenated method names: 'hZiDgeCHsX', 'DFjDSYPckD', 'BTnDxHobBk', 'haVDQqX7uI', 'QHIDpiu4en', 'egDDfYQMBC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, ByvjEchBSQcyD9Vy3C.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Gl2vKdo5R9', 'FIFv8lcAXO', 'DxtvzKsQsy', 'jJNXcbF2Rs', 'uRDXjD7EE7', 'RWfXv3tmk1', 'zkPXXUb9mB', 'ukP3BB4M0QQHdO9uZxw'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, i0aMmgNuZExrOY05mT6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWslpFU3hs', 'DfnlJRGkRa', 'Lcklue5d8o', 'cjVlbcyZka', 'UaGlW9XlcY', 'yUkltOomeR', 'k5el3ISGuE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, b1ylFLKTXKNi2gtlJZ.cs	High entropy of concatenated method names: 'M9wTZ3mjFH', 'G37TFRk3Ew', 'xV5T1mkme2', 'lbc18KuF7i', 'WNa1zdimet', 'jhDTcTr4lZ', 'LINTjxt5qg', 'djFTv32CZk', 'mJsTX1UX2C', 'CkKTrbbKe6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, cA9TsJkCtNpsbMUBWc.cs	High entropy of concatenated method names: 'gDeFMxHDg7', 'tZNFGFYYuG', 'pQfFNQLOOP', 'dpmF7M5Io2', 'zTSFRtAR1E', 'pARFs8gcCZ', 'fOKFUahZfY', 'lphFDGNDv8', 'GnYF9MBVK2', 'uPnFlKeLrm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CVeAIRqKVAUjENZeFc.cs	High entropy of concatenated method names: 'YJRdpxy1NO', 'USrdJsEI7v', 'tCVdu794ZX', 'dnHdbPcqSV', 'CmvdWgnUIR', 'W5SdtbkBVk', 'IRYd3nb0I8', 'zHUdoo2DEd', 'yqgdKc1kvM', 'mcWd8VrqyV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, Jo4VD4njEJmiQrM7K2.cs	High entropy of concatenated method names: 'qRvkmtogWGstKeCOtcF', 'qVZlTAoLLquOPKwisnu', 'U8h1D25St5', 'i7m19Kryb4', 'Rn11lLF1in', 'c8s0pAoD4UJMfqDuFId', 'Elhuv2oxYbLd2IMTHeR'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, mj9pkKDWJbxAigqQ8p.cs	High entropy of concatenated method names: 'qrEDZY2yGp', 'ziaDdVdsK0', 'aReDFfdEqL', 'A7uDqG3cMG', 'Q4dD1SGVPj', 'WfQDTLrjvq', 'cLbD2RiHX1', 'qu3DV2UtU9', 'YZ4DPobOqM', 'woQD4R8BD3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, RZUQGYQDOgsRHRAqv4.cs	High entropy of concatenated method names: 'u0vUoIiad5', 'JrbU8sfZEj', 've0Dc5jGF6', 'PwxDjOKoAO', 'Nv4UHwrak6', 'aVFUk1voNA', 'KcTUL7Y7VZ', 'j7TUpBD9T8', 'iyPUJwKohc', 'VfTUuB6RW5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, Gi4mvvUS94GkjKbif0.cs	High entropy of concatenated method names: 'jLFANL9Bcu', 'b0eA7lDbfw', 'SilAgddMd5', 'I2HASp1hBL', 'uBAAQexT4I', 'NBlAfKaRUx', 'BrLAC4xqLg', 'dQyAEgVnmD', 'TkOAhKv7IA', 'UHEAHLKm0D'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

File created: C:\Users\user\AppData\Roaming\rRQnnfB.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rRQnnfB.exe PID: 7220, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: 880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: 45A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: 8850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: 9850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: AA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: B1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: C1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Memory allocated: D1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: 86E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: 6E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: 96E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: A6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Memory allocated: BF80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5778	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1427	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6102	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1430	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4500	Thread sleep count: 5778 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4888	Thread sleep count: 1427 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Queries volume information: C:\Users\user\AppData\Roaming\rRQnnfB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rRQnnfB.exe PID: 7220, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Users	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	32%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	40%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\rRQnnfB.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\rRQnnfB.exe	32%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\rRQnnfB.exe	40%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://github.com/syohex/java-simple-mine-sweeperC:	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
wznne1.duckdns.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/syohex/java-simple-mine-sweeperC:	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1869611688.000000000279F000.00000004.00000800.00020000.00000000.sdmp, rRQnnfB.exe, 0000000D.00000002.1918659052.0000000002A69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883579784.0000000005070000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543577
Start date and time:	2024-10-28 07:17:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@35/15@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 71 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:18:16	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe modified
02:18:19	API Interceptor	39x Sleep call for process: powershell.exe modified
02:18:22	API Interceptor	1x Sleep call for process: rRQnnfB.exe modified
06:18:21	Task Scheduler	Run new task: rRQnnfB path: C:\Users\user\AppData\Roaming\rRQnnfB.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rRQnnfB.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\rRQnnfB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3785452578096224
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	E29FF6D51247365B01A222502165B59F
SHA1:	D135C6EA63AB99E19E1DC6986E21E937DDEE5969
SHA-256:	0F619AB4B884683497272122273E6295AF759B288870BA64E0DB884BE905D769
SHA-512:	4EFD0B4000623C0654F455B1CDCEABEDFA7D4534C4E83E2731457658BCE0BB4FAC0CE8DD1C246666B883376DE243079006A8C82A3F5E8082A8A79AC9623ACC65
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12401240.ugp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44lcahnm.ysa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_beaxd2fj.eub.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3bijr5y.gns.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sq0hpzw0.wyw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ualgpki3.sov.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_veieiips.qbt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypq2gapu.0wm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE51C.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	5.106240095570529
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxALxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT11v
MD5:	C20562F13FE3263960DC65C83530D786
SHA1:	A2CDC595DF216ADE374A5160B5172A066F781948
SHA-256:	CEA7458FD573B0D78DC37FDFF17EBF199E451AECB11E1F5EB123F13A2653230B
SHA-512:	0B6D401923F3E6E39B44F03EEDE6CD92C093F453642EB048C7A8DAF023FCE3E4373939E731E8977F9967D4A42DEA7972D0B29BDFA10815A6A45FFBC98BFD188D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpF613.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\rRQnnfB.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	5.106240095570529
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxALxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT11v
MD5:	C20562F13FE3263960DC65C83530D786
SHA1:	A2CDC595DF216ADE374A5160B5172A066F781948
SHA-256:	CEA7458FD573B0D78DC37FDFF17EBF199E451AECB11E1F5EB123F13A2653230B
SHA-512:	0B6D401923F3E6E39B44F03EEDE6CD92C093F453642EB048C7A8DAF023FCE3E4373939E731E8977F9967D4A42DEA7972D0B29BDFA10815A6A45FFBC98BFD188D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\rRQnnfB.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	735744
Entropy (8bit):	7.882213331390559
Encrypted:	false
SSDEEP:	12288:9qbjoMfzukYwBZ+DPWeGHutARp7ubVoSYOKe5KkohFISCX/B:sos2+HutANuprIiroJCP
MD5:	32BBE58D2336CD18C22D221A3836BD50
SHA1:	7B559B7160FA1F0DE211AFD3DCB81A41A2A7FD89
SHA-256:	066E985867D56271776AB61510202FFDD1BEC246FC15DD38DD17A38223D50D40
SHA-512:	66E3DD18D4BEAFFD40845F5B255B8C95C02BC1D72EC4A0FB831F1B6F48067599E89F8E9ABDFA8579E443F6960E8E90225C22BA0995A17C56C8282204F47017A4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32% Antivirus: Virustotal, Detection: 40%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..&...........E... ...`....@.. ....................................@..................................D..O....`..............................\|...T............................................ ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............8..............@..B.................D......H.......`...........U...d^................................................r...p}.....r...p}......}.....(.......(.....6.s....(....&....0..k.......s........t-...o....t....oO...}....(/..........s....o....sG...(....&.{....o....o.....o....t.....{....oP......0............{....o....o......(/...o ....8......(!.....s"....sQ.......o....%..oP......o#......o$......o%.....o.....o&.....{c..........s'...o(.....().....{....o.....o......(+.......(,...:o.............o-...................

C:\Users\user\AppData\Roaming\rRQnnfB.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.882213331390559
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
File size:	735'744 bytes
MD5:	32bbe58d2336cd18c22d221a3836bd50
SHA1:	7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
SHA256:	066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
SHA512:	66e3dd18d4beaffd40845f5b255b8c95c02bc1d72ec4a0fb831f1b6f48067599e89f8e9abdfa8579e443f6960e8e90225c22ba0995a17c56c8282204f47017a4
SSDEEP:	12288:9qbjoMfzukYwBZ+DPWeGHutARp7ubVoSYOKe5KkohFISCX/B:sos2+HutANuprIiroJCP
TLSH:	46F40298332DCF19E5BD0BFE0862304047B127657161D7EF4EC625DB8AA2B814B1EE97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..&...........E... ...`....@.. ....................................@................................

File Icon


Icon Hash:	36366464e4f39537

Static PE Info

General

Entrypoint:	0x4b4502
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x671EDFD8 [Mon Oct 28 00:50:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb44b0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0xf90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0e7c	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb2508	0xb2600	5513eef5265ee137c97f151900b1cc4b	False	0.8720094056587246	data	7.890111172644623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0xf90	0x1000	22ef4965cb87cca31222430a8a608cc9	False	0.60791015625	data	6.501930411066949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	c7a0a2ace1086b7f3a7a22f6e1add36e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb6100	0x928	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.7495733788395904
RT_GROUP_ICON	0xb6a38	0x14	data	1.05
RT_VERSION	0xb6a5c	0x334	data	0.4292682926829268
RT_MANIFEST	0xb6da0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	02:18:15
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Imagebase:	0x1b0000
File size:	735'744 bytes
MD5 hash:	32BBE58D2336CD18C22D221A3836BD50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Imagebase:	0xc70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"
Imagebase:	0xc70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"
Imagebase:	0x150000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:18:18
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:18:19
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:18:19
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:18:19
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:18:19
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:18:19
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:18:21
Start date:	28/10/2024
Path:	C:\Users\user\AppData\Roaming\rRQnnfB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rRQnnfB.exe
Imagebase:	0x680000
File size:	735'744 bytes
MD5 hash:	32BBE58D2336CD18C22D221A3836BD50
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs Detection: 40%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:18:21
Start date:	28/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp"
Imagebase:	0x150000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:18:23
Start date:	28/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x450000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	194
Total number of Limit Nodes:	10

Executed Functions

Function 08700040 Relevance: 6.1, Strings: 4, Instructions: 1108COMMON

Download Yara Rule

Strings

4'dq, xrefs: 08700D23
4'dq, xrefs: 08700064
(odq, xrefs: 08700728
4'dq, xrefs: 0870016B

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (odq$4'dq$4'dq$4'dq
API String ID: 0-3599379907
Opcode ID: a111a2cdce97cce9c6be4923d752ebdfd5f3afd3dcc5323fc473883fab0d01d4
Instruction ID: 191e359f5a74df4655fd703ac02f41a420f31d785b38d49bf960149cf76feb81
Opcode Fuzzy Hash: a111a2cdce97cce9c6be4923d752ebdfd5f3afd3dcc5323fc473883fab0d01d4
Instruction Fuzzy Hash: C0A27074A00609DFCB14CF68D484BAEBBF2FF89321F158569E4059B299D734E982CF61

Function 08706780 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 08706D27

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 82e45857cb413698ec0b84f9992611e3d9d968b1935106dacda04197eab8f38c
Instruction ID: d4daca7438e9f80d2f5cfe6d91b53f4d61586f4d11ad573e7aa69f7d5b73e3fc
Opcode Fuzzy Hash: 82e45857cb413698ec0b84f9992611e3d9d968b1935106dacda04197eab8f38c
Instruction Fuzzy Hash: AB21DBB5904359DFCB10CF9AD984ADEBBF5FB58320F10842AE918A7250D375A950CFA1

Function 08706CA0 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 08706D27

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: addfd5c6ce460f7fc7bea28102fc401fa433372851d153837b6fcce339fcc296
Instruction ID: ed052b0cbfd7afffa2fb7a2493a6a38b59779de563ee152a02fa44899f9c95f7
Opcode Fuzzy Hash: addfd5c6ce460f7fc7bea28102fc401fa433372851d153837b6fcce339fcc296
Instruction Fuzzy Hash: F621DBB5900349DFCB10CF9AD984ADEFBF5FB48320F10842AE918A7250D375A954CFA1

Function 08703BA0 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a299eb0234d5e410cc582eda6457d674beb5cf8cb9cd856b433cd56601dbc8eb
Instruction ID: cb76af837c35d417be724cefd03b14a8e64b6372d54cda5a8e7450e73a263e9c
Opcode Fuzzy Hash: a299eb0234d5e410cc582eda6457d674beb5cf8cb9cd856b433cd56601dbc8eb
Instruction Fuzzy Hash: DE426D74E01228CFDB54CFA9D984B9DBBB2FB48311F1085A9D819A7395D734AE81CF50

Function 087028D0 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaebf2d803c461f3faccb796fcda87f3b61d08384fd3878954fd6b6e544b9ce
Instruction ID: f82d097900b6c72b03a42b24f6394e7d0a118bdcf79b22a4acab2a05ede2e1b8
Opcode Fuzzy Hash: daaebf2d803c461f3faccb796fcda87f3b61d08384fd3878954fd6b6e544b9ce
Instruction Fuzzy Hash: 6032C071915218CFDB50DF99C684A8EFBF2BF48312F55D199D808AB256CB30E981CFA1

Function 06F573B8 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9870dbe1039d409c9a6eb5d909e2e82a39a77434babc8aeed33d6052e8e9a9
Instruction ID: 554d370ff20f35668e5544d924d768f9bcc16d0914e6187e6e91864ebb390a6d
Opcode Fuzzy Hash: 1f9870dbe1039d409c9a6eb5d909e2e82a39a77434babc8aeed33d6052e8e9a9
Instruction Fuzzy Hash: 02E19B71B016008FEB69EB69C850BAEB7F6EF89300F15446EE646DB291CB35DD01CB52

Function 0870F4FA Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb38272fe9a979f0f83302b3cfba89a6936d56d1a4cf934a46d543ec186c6f1
Instruction ID: e8a3dc59edf12a75052d0d6a00122be2ab032e9695f5d00a4d42d3c375e11c48
Opcode Fuzzy Hash: 8cb38272fe9a979f0f83302b3cfba89a6936d56d1a4cf934a46d543ec186c6f1
Instruction Fuzzy Hash: 15E11875E00219CFCB14DFA9C5809AEBBF2FF49305F249159D814AB39ADB30A942DF61

Function 087068A4 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13ba238575b7794d2393489fc444f5dc22eb3c9d252050940c058c36c649492
Instruction ID: 17f2aa620c4aec0313b44dda3ed4f3a0beb9d05fa5e0292a5b1117a15e85d5d3
Opcode Fuzzy Hash: d13ba238575b7794d2393489fc444f5dc22eb3c9d252050940c058c36c649492
Instruction Fuzzy Hash: 98615875E00209DFCF04DFE9D8849AEBBF2EF88311F108429E915A7394DB349906CB50

Function 08703B90 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8304285d9c146755b658ac33675d278733afcb2bb2fd93fd76723eb0a0069b
Instruction ID: 7ee74f5ffe2e7b505c2a57061f3e9f3082c09adf185af0393e8f8a60e9e6a03c
Opcode Fuzzy Hash: 4b8304285d9c146755b658ac33675d278733afcb2bb2fd93fd76723eb0a0069b
Instruction Fuzzy Hash: F561B274E01218CFDB18CFAAD984B9DBBF2FF88301F1481A9D819A7294D7359985CF60

Function 08708C20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66bdfdc18ed4deb731609f62ac81ab603c7eac73fe3037afc2c8ce770e1ff16
Instruction ID: a4fb983c4e6f2c4d34acf2fbbfffe2c0571f9673c8834a09c99b67327e1fa84c
Opcode Fuzzy Hash: b66bdfdc18ed4deb731609f62ac81ab603c7eac73fe3037afc2c8ce770e1ff16
Instruction Fuzzy Hash: CA51BF75D01218DFDB08CFEAD8446AEBBF2FF88301F10906AD819AB258DB345A46CF51

Function 087028C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed7044981d8a5b98763e1def9abe8fa411b81e8519aba5967d3b9fd3fb2d38b
Instruction ID: 54b5815b3afd6b19ea1e53cc3559463f4b452b795114776c5972f722327e6a2f
Opcode Fuzzy Hash: 3ed7044981d8a5b98763e1def9abe8fa411b81e8519aba5967d3b9fd3fb2d38b
Instruction Fuzzy Hash: 5041C8B1E106188FEB58DF6AC84179EBBF2FFC9301F10C0A9D41CA6255DB345A859F51

Function 08708C10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5329fc135c021f1b7d4bf1b3e86423b4fe8c1557628965ad2157c007068732
Instruction ID: 93a24cf858b8118ecb206b1cac9348255aab9f9a427bef2fa67377e3664cf8a0
Opcode Fuzzy Hash: 0e5329fc135c021f1b7d4bf1b3e86423b4fe8c1557628965ad2157c007068732
Instruction Fuzzy Hash: DC419075E006189FDB08DFAAD88469EBBF2BF88311F14C16AD418AB258DB345A46CF51

Function 0088D410 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0088D49E
GetCurrentThread.KERNEL32 ref: 0088D4DB
GetCurrentProcess.KERNEL32 ref: 0088D518
GetCurrentThreadId.KERNEL32 ref: 0088D571

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2b3cf4ad4ddbeab9917aa665267cc936d8c74546422151b30aa027ca404a9306
Instruction ID: 40ed4671444956d96213bd8921d9f7808fef93568ab951110bf1736d7bf4ec11
Opcode Fuzzy Hash: 2b3cf4ad4ddbeab9917aa665267cc936d8c74546422151b30aa027ca404a9306
Instruction Fuzzy Hash: 205166B09007498FDB18DFA9D548BAEBFF1FF88314F24845AE409A7291D7745984CB26

Function 0088D420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0088D49E
GetCurrentThread.KERNEL32 ref: 0088D4DB
GetCurrentProcess.KERNEL32 ref: 0088D518
GetCurrentThreadId.KERNEL32 ref: 0088D571

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7acdf34171c5e2fd6492ab9f50f7a63516e3d4e82f61f3e48f9934ce2df39684
Instruction ID: 15db49f76f7cfd6fb0317bf676402756c6e519c4bbd154f035138899749ffe0a
Opcode Fuzzy Hash: 7acdf34171c5e2fd6492ab9f50f7a63516e3d4e82f61f3e48f9934ce2df39684
Instruction Fuzzy Hash: 105177B09003498FDB14DFAAD548B9EBBF1FF88314F24845AE409A7390D7746984CF66

Function 06F526F6 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F52936

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fc9be91f54f31159805a3f2dd023092756955abb2466b819833a4ab51fa18da6
Instruction ID: e8857b8b626cf1cbbda51533a11ce3e30fc627dbad7f73e35f3f14f1c1ac90bd
Opcode Fuzzy Hash: fc9be91f54f31159805a3f2dd023092756955abb2466b819833a4ab51fa18da6
Instruction Fuzzy Hash: F1914C71D00219CFDB64DFA8CC41BDEBBB2BF48314F15866AE908A7250DB749A85CF91

Function 06F52700 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F52936

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 54678c5bd32ed6f1a328abacdebf48130e7cfe2ed736e52c88adf8e85c20bfdb
Instruction ID: 327fff7f974c6ae31c81e38dadc62402ec3afe5d1ef233f4e32ecdcf9500177a
Opcode Fuzzy Hash: 54678c5bd32ed6f1a328abacdebf48130e7cfe2ed736e52c88adf8e85c20bfdb
Instruction Fuzzy Hash: 2B914C71D00219CFDB64DFA8C841BDDBBB2BF48314F15866AE908A7250DB749A85CF91

Function 0088AD88 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0088AFDE

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 081fca2939cf02de14d235adc7baa451cd4965fb03ccd9b02ae58640f55601b7
Instruction ID: 03493acb8695c6bc431f303b40e7c3281238378f5bca78e5e91008db5cabcf14
Opcode Fuzzy Hash: 081fca2939cf02de14d235adc7baa451cd4965fb03ccd9b02ae58640f55601b7
Instruction Fuzzy Hash: 12714970A00B058FEB28EF69D44575ABBF1FF88304F00892EE546D7A90DB75E845CB92

Function 0088594D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00885A09

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4e94b390b9667cda2619aa9d9118ea7e56240c81d6270a6f80cc8b5ddbbd1571
Instruction ID: df646efb47a8c2be415f775afdb02ddbfc913fbca367af4d8bac938ca9adfa9e
Opcode Fuzzy Hash: 4e94b390b9667cda2619aa9d9118ea7e56240c81d6270a6f80cc8b5ddbbd1571
Instruction Fuzzy Hash: 2041E0B0C00619CFDB28DFA9C984BDEBBB5FF48304F20816AD409AB255DB756946CF90

Function 00884510 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00885A09

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fe36e9e57937b39a1ec559841b7e92770143f53c6eb6065734bc94b625243aae
Instruction ID: d752526a7e5f7de7974a5ff7a40b705edbfd82bda18b2b12c52f5729386e5da7
Opcode Fuzzy Hash: fe36e9e57937b39a1ec559841b7e92770143f53c6eb6065734bc94b625243aae
Instruction Fuzzy Hash: D841DFB0C0061DCFDB28DFA9C984B9EBBB5FF48304F20816AD409AB251DB756945CF90

Function 06F523B0 Relevance: 1.6, APIs: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F52426

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f9d8916440de47d4a3c080a9f339707da212755aab32c499ac7e1d0e6587ab48
Instruction ID: d05a07698a0579d5adeb3d96691db6375ff9bd6089ba609f1b4352123f11f860
Opcode Fuzzy Hash: f9d8916440de47d4a3c080a9f339707da212755aab32c499ac7e1d0e6587ab48
Instruction Fuzzy Hash: 3B21BB718043899FCB11DFAAC845ADFBFF5EF49320F14845AE515A7252C7399900CFA1

Function 06F522DA Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06F5235E

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3762bc77a207f8699f96c72b1a49ec78ba3f5ee201c88626dc658604cfa0cc1f
Instruction ID: 275307cd1aad8f39926ae2cea16374cdf07f1b5a90c00e06c65ee78524a02595
Opcode Fuzzy Hash: 3762bc77a207f8699f96c72b1a49ec78ba3f5ee201c88626dc658604cfa0cc1f
Instruction Fuzzy Hash: C7213AB1D002098FDB10DFAAC4857EEBBF4EF48324F148429D519A7240D7789A45CFA1

Function 06F52560 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F525E8

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b82ccdd438afe88ea0be9bc76042f6d5415df252ebc46b24a8356eda75e5786a
Instruction ID: c5c6b63688f021e1092a7708d958763638fbb9a065023d6aed52580a7f9acd83
Opcode Fuzzy Hash: b82ccdd438afe88ea0be9bc76042f6d5415df252ebc46b24a8356eda75e5786a
Instruction Fuzzy Hash: 5A214AB1C00249DFCB10CFA9C881AEEFBF5FF48310F10842AE918A7250D7349911DB61

Function 0088D661 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0088D6EF

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f56843917d757cb6596aa99f2ed7b4671c1b316872b27f170955503cb2bded9f
Instruction ID: 60ca38a06b2bba86970a7347ce0862321fcd0acbb90afc5a9bda1d30b1fb63c2
Opcode Fuzzy Hash: f56843917d757cb6596aa99f2ed7b4671c1b316872b27f170955503cb2bded9f
Instruction Fuzzy Hash: 4121D2B59002499FDB10CFAAD584AEEBBF5FB48320F14801AE918A3251D378A954CF60

Function 06F522E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06F5235E

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce850f52ac3bf30f2b9caf4ba062256ca2abb5496d1e229df3f11ddc203dd8e0
Instruction ID: c7faeea34c91168cc5376b4798c3906dda3f117a448b4a12e708c26e8eefc4c5
Opcode Fuzzy Hash: ce850f52ac3bf30f2b9caf4ba062256ca2abb5496d1e229df3f11ddc203dd8e0
Instruction Fuzzy Hash: 7A2138B1D003098FDB10DFAAC4857EEBBF4EF48324F14842AD919A7240D778AA45CFA1

Function 06F52568 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F525E8

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 010adb43c5b0517eb239f20a26d884d9cfe3fc0a8d5bc21293af6193aeb370c3
Instruction ID: d8973ffffc24dcadaed394640a20047cfeedbe323cc7d68cb0f812bc5d3bc398
Opcode Fuzzy Hash: 010adb43c5b0517eb239f20a26d884d9cfe3fc0a8d5bc21293af6193aeb370c3
Instruction Fuzzy Hash: 4C2128B1C003499FCB10DFAAC981ADEFBF5FF48320F10842AE918A7240D7789900DBA1

Function 0088D668 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0088D6EF

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b5b221d42497652dc50c262fa0ad37be79289fa5a9ccf0f34a834e5bcc55776b
Instruction ID: aa6626aed00507d865321413911b3ed3a12b22d1c23e6b0fde6e8d9d1f5561f3
Opcode Fuzzy Hash: b5b221d42497652dc50c262fa0ad37be79289fa5a9ccf0f34a834e5bcc55776b
Instruction Fuzzy Hash: C321E4B5900249DFDB10CF9AD984ADEFBF8FB48320F14801AE918A3350D378A954CFA0

Function 06F569D2 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F56A35

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 61bcbce0b8c774fa7b66e718b9ca1b9a5903a760d762313422c2f26a457bde9d
Instruction ID: 39c1a409dbf1b813b5a8a7bd6ec06b0aaca4b84b6a98f0bd5a15a61ecd5ef410
Opcode Fuzzy Hash: 61bcbce0b8c774fa7b66e718b9ca1b9a5903a760d762313422c2f26a457bde9d
Instruction Fuzzy Hash: 241134B1C00349DFCB60DF99D985BDABFF8EB48324F14844AE914A7212D375A944CFA1

Function 06F523B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F52426

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27884d83624375ca7c279cbb9906fcf3d1ce6ef0c96bd0bfae56235ecb71a016
Instruction ID: 1c30a9e095d55aafbd96d872fae2cec4b1f9464465f43392c8d155e93e7be5a8
Opcode Fuzzy Hash: 27884d83624375ca7c279cbb9906fcf3d1ce6ef0c96bd0bfae56235ecb71a016
Instruction Fuzzy Hash: 8E1126B29002499FCB10DFAAC845ADEBFF5EF88320F248419E919A7251C775A940DFA1

Function 08706800 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 08707D28

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b368ba605ff36ba82dd9026a23bb42640c3a3a53084098a7c7de3a5b72a684b3
Instruction ID: 34ab2524f6ce6d1f7e08b26d7add0526de8d3a371672064a25c6a52e67609739
Opcode Fuzzy Hash: b368ba605ff36ba82dd9026a23bb42640c3a3a53084098a7c7de3a5b72a684b3
Instruction Fuzzy Hash: 961114B1C0465ADBCB14CF9AD545BAEFBF8EB48320F10811AD818A3240D775A900CFA1

Function 08707CB0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 08707D28

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: e7ad83a6fcafca7a35e5ae32059db5ccbae483e032af1da3dcea961f12349cae
Instruction ID: 412ad4a46b0017d37ea553cf80ad04565aa783450c67b49725b9660c49fdca51
Opcode Fuzzy Hash: e7ad83a6fcafca7a35e5ae32059db5ccbae483e032af1da3dcea961f12349cae
Instruction Fuzzy Hash: CF1126B1C0065ADFCB14CF9AD945BAEFBF8FB48320F10811AD818A3280D7756904CFA5

Function 06F507EC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F56A35

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 53a4ea1934f53b81bf94f17197c4fa688d48f8d1a2963cea796538f8286784ac
Instruction ID: ddbf8d6b4121ae8940c1250fc72103923fd732d67d705b88acf9fe8711b4dd13
Opcode Fuzzy Hash: 53a4ea1934f53b81bf94f17197c4fa688d48f8d1a2963cea796538f8286784ac
Instruction Fuzzy Hash: C611F5B5800349DFDB50DF99C985BDEBFF8EB48320F10841AE914A7611D375A944CFA5

Function 0088AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0088AFDE

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 035152891919dee6145766ff39aaeebeea424c088c80f2d16899af1bdd96d9ae
Instruction ID: 2c9f5cb543c378b39988baa220cda41ff245f88fd0050965aa7436004f8dfcab
Opcode Fuzzy Hash: 035152891919dee6145766ff39aaeebeea424c088c80f2d16899af1bdd96d9ae
Instruction Fuzzy Hash: 05110FB5C002498FDB14DF9AC444A9EFBF4EF88324F10841AD928A7640D779A545CFA1

Function 0082D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867790349.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2bfa512b7b078b4003479cca6450d8f2bf6d7c6abc4344afeef14b6426fe27
Instruction ID: c22ae8c80ed97193c550e1605672a4ca0e11f8a9d07e13760b349fb894f72834
Opcode Fuzzy Hash: 2f2bfa512b7b078b4003479cca6450d8f2bf6d7c6abc4344afeef14b6426fe27
Instruction Fuzzy Hash: 0E2128B1504304DFDB05EF14E9C0B26BF65FB94324F24C569E9098B256C336E896DBA1

Function 0083D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1868213875.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045a14b2e5014cbf333e1f41532e009a3694cf81b03787df94c0104f42e7ff47
Instruction ID: b36d32a991de711a2277325e601c8cbd73aa04c8e7ad8c3ee76710facf3d3256
Opcode Fuzzy Hash: 045a14b2e5014cbf333e1f41532e009a3694cf81b03787df94c0104f42e7ff47
Instruction Fuzzy Hash: 412107B1504304EFDB15DF14E5C0B26BB65FBC4318F24C56DE9498B252C73AE846CAA1

Function 0083D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1868213875.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea292863333ebaeaef46900a600d15fa67b8853458a2da4d53e6500758b9e35
Instruction ID: e121dd8e2948ff65ce74106806c3d39277aab1a5d546b9ed1ec504db6e89ff84
Opcode Fuzzy Hash: 4ea292863333ebaeaef46900a600d15fa67b8853458a2da4d53e6500758b9e35
Instruction Fuzzy Hash: 222137B1504704DFCB18DF14E5D0B26BB65FBC4714F20C56DE84A8B256C33AD807CAA1

Function 0082D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867790349.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 4df481bca7fd9708687e8fd19fcca0aeff1e0e1c573d831e40460b92a2f18b00
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 59110672404340DFDB11DF00D5C0B16BF71FB94314F24C2A9D8094B656C33AD456CB91

Function 0083D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1868213875.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: b33b2f1dd25d581a7775904e469371f25ae6cee7a72d6beffaef6c5ddeceb07d
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 0D11DD75504780CFCB15CF14E5D4B15FBA2FB84714F24C6AAD8498B656C33AD84BCBA2

Function 0083D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1868213875.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 9298bdeabd06505ab01dd1c7ee901445e32524fb66d50fc7629c72e6b7527587
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 2611BB75504380DFCB12CF10D5C0B16BBA2FB84314F24C6AAD8498B696C33AE84ACBA1

Non-executed Functions

Function 0870F980 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58cc16919fde44fc9e7b1a3da752c36a44497f031987d790c6322700774c9c4
Instruction ID: e871f285f5f684e255db96d5d3b2c41749ea940451d01e3d4a78b32feeb8af1b
Opcode Fuzzy Hash: e58cc16919fde44fc9e7b1a3da752c36a44497f031987d790c6322700774c9c4
Instruction Fuzzy Hash: F8E11A75E04119CFCB14DFA8C5909AEFBF2BF89305F248159D814AB39ADB30A942DF61

Function 06F51EA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec88b5341e91c6de0ac178fa42e67f458878a1dba5b43978bb98b9b32d8b124
Instruction ID: f22d0008de56bf777660c1f65169d7052b5c9de7be83ccdc7206476ca0f9c9bc
Opcode Fuzzy Hash: eec88b5341e91c6de0ac178fa42e67f458878a1dba5b43978bb98b9b32d8b124
Instruction Fuzzy Hash: 03E1F975E001198FDB14DFA9C5909AEFBF2BF89304F248169D914AB359D731AD82CFA0

Function 06F515D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb549f86fa3d4b179ff47613ed13b38f3f180d265710cd56751cf49c4e9859c
Instruction ID: 1eaa11478e9ee7cf66b5f84d8b3ff995e71ca303ea379edb5875ea75cbd24756
Opcode Fuzzy Hash: 2cb549f86fa3d4b179ff47613ed13b38f3f180d265710cd56751cf49c4e9859c
Instruction Fuzzy Hash: 89E1E675E041198FCB14DFA9C580AAEFBF2BF89304F248169D914AB359D730AD82CF61

Function 06F51198 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c16e5fe785f4240938ebfa46020d81ffb8f84b79aee58c4ebe3f7989d58b1c
Instruction ID: 422454dd3889ca719a9af957c0c62b2a7af25941d960b03ead26a4b1e6be711d
Opcode Fuzzy Hash: f1c16e5fe785f4240938ebfa46020d81ffb8f84b79aee58c4ebe3f7989d58b1c
Instruction Fuzzy Hash: 37E1F975E001198FCB14DFA9C590AAEFBF2BF89304F249169D915AB359D730AD42CFA0

Function 08705880 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968ae500321d59466becf20c7278967f606dabb97b8ff6b9c7b44dc75d0950fb
Instruction ID: 7d98ba7c12f0c1413a594e6c8adf354bfa76b4bb73c5986c8151d9b72a48d7c5
Opcode Fuzzy Hash: 968ae500321d59466becf20c7278967f606dabb97b8ff6b9c7b44dc75d0950fb
Instruction Fuzzy Hash: 75E11974E14119CFCB14DFA9C5809AEBBF2FF89305F248169D815AB35AD730A942DFA0

Function 08705CB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604f9b4259fa8b9f4dbfd691b05159923d1139f9a7fcde9a9df7b735cd5b130d
Instruction ID: 615ee203e2c4fba068f90102251732adbf363baffa6f6e9a5a3042a320ed90d3
Opcode Fuzzy Hash: 604f9b4259fa8b9f4dbfd691b05159923d1139f9a7fcde9a9df7b735cd5b130d
Instruction Fuzzy Hash: 88E1E974E04219CFCB14DFA9C5909AEBBF2FF49305F248169D815AB359D731A942CFA0

Function 08706E28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6345d5c6f3044a339d316395586663236f31f670f727eed753cdd4437f6424b
Instruction ID: 7088c59cc4d5d340a5a92d32c07a2c02ee6d960ef6892ec9f407596081a35fe2
Opcode Fuzzy Hash: e6345d5c6f3044a339d316395586663236f31f670f727eed753cdd4437f6424b
Instruction Fuzzy Hash: 57E1EC74E00119CFCB14DFA9C5909AEBBF2FF89305F248159D415AB359D731A942DFA0

Function 08706178 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705878e0d9dd5ffc35e2778b7df9e9447edaa378da2e4d280ad83008bdd6dd1c
Instruction ID: 2ba00f17a94c3095a5dac19ebadf0182e7a0494021b1936c3250ea574168887e
Opcode Fuzzy Hash: 705878e0d9dd5ffc35e2778b7df9e9447edaa378da2e4d280ad83008bdd6dd1c
Instruction Fuzzy Hash: B6E1D874E00219CFCB14DFA9C5909AEBBF2FF89305F248169D415AB35AD730A942DFA0

Function 0088EF04 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1868392465.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b2bccb8f10127ed7e63184d602eecacc03171ea8cd2a3abc2139469e76c114
Instruction ID: 5f29d788137d984de860d48d50eb99ecd415d7eecb3c2d85e5890c8262aed99c
Opcode Fuzzy Hash: 80b2bccb8f10127ed7e63184d602eecacc03171ea8cd2a3abc2139469e76c114
Instruction Fuzzy Hash: 2DA14D32E002198FCF15EFA4C84499EB7B2FF85304B1545BAEA05EB266DB31ED56CB40

Function 08708EB0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fa17f8df5a99b70eec4de22ce35f7ce242a6f6e7fa685a22790fed5f1eff8d
Instruction ID: f820d7604c26651c21f7e772f50172bc3326ab4d6f0c694cc0c2cb508857d019
Opcode Fuzzy Hash: 95fa17f8df5a99b70eec4de22ce35f7ce242a6f6e7fa685a22790fed5f1eff8d
Instruction Fuzzy Hash: E9716075E012198FCB04DFAAD984A9EFBF2BF88311F14D16AD418AB359D734A942CF50

Function 06F51E98 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885207400.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b25ca989bcc6c85d87f28d2bf3e27b94087d0e568c97e81157cb89709d7dadf
Instruction ID: 906cc88dc8792047708efd5e7fc88b876d6a319cd5d59c62e97531dbd041f4d2
Opcode Fuzzy Hash: 8b25ca989bcc6c85d87f28d2bf3e27b94087d0e568c97e81157cb89709d7dadf
Instruction Fuzzy Hash: AE512E75E052198BDB14CFA9C9405AEFBF2BF89304F24C16AD908A7215D731AD42CFA1

Function 08705870 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0124f22b5687f659ced439d432ec26c610354a4ce390715996af25f25fe41f
Instruction ID: 60813a5405aef40a466b17cc753b9ac7fbfcfb937338fe32a774e87af2b97953
Opcode Fuzzy Hash: 0e0124f22b5687f659ced439d432ec26c610354a4ce390715996af25f25fe41f
Instruction Fuzzy Hash: 6E51F974E102198FDB14CFA9C5809AEFBF2FF89305F248169D418B7259D731A942DFA1

Function 08708EA0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886159767.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6a9060f640baa4cfc0cfe61906c5f718cb7609f55ae9c46351106905e1a256
Instruction ID: cafa6effa8be98e93217cac03fedf309570d9d6d08a56a6c70920ebdc74ea9c9
Opcode Fuzzy Hash: ff6a9060f640baa4cfc0cfe61906c5f718cb7609f55ae9c46351106905e1a256
Instruction Fuzzy Hash: 34516F75E016188FDB08CFAAD98469EFBF2FF88311F14C16AD418AB358DB3499468F51

Analysis Process: rRQnnfB.exePID: 7220, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	154
Total number of Limit Nodes:	9

Executed Functions

Function 06CB6C58 Relevance: 1.6, APIs: 1, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06CB6D27

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2b7f45d5d610370d550c35dc0f4de52fc99ea81e4347496ac485411167773277
Instruction ID: a2ab8deee10241c8a1d73c5f2d614c0ddab0de0520009b7c58b80d2533322076
Opcode Fuzzy Hash: 2b7f45d5d610370d550c35dc0f4de52fc99ea81e4347496ac485411167773277
Instruction Fuzzy Hash: D43146B5D04389DFCB11CFAAD985ADEBFF4BF09310F24845AE958A7251C3359900CBA1

Function 06CB6780 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06CB6D27

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 821a0759f25d30ecf7015388196b5dc3f179406316e162229cc6ce74d65b1fad
Instruction ID: c4f17943c91af128de045a2541bd6712dd441ff9b817b570e5bb7da6c35fd07a
Opcode Fuzzy Hash: 821a0759f25d30ecf7015388196b5dc3f179406316e162229cc6ce74d65b1fad
Instruction Fuzzy Hash: 8021AEB5901349DFCB10DF9AD984ADEFBF4FB48320F20842AE918A7210D375A954CFA5

Function 029826F4 Relevance: 1.8, APIs: 1, Instructions: 263
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02982936

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 21edd65ef2e61898b4c610b512bd02b30a1df6a38a95b70c2c8b3aca6faeddc3
Instruction ID: d39e134a583bef5c8f2a9b97945242c0de8a4b5af7eda0484bd5109113f01704
Opcode Fuzzy Hash: 21edd65ef2e61898b4c610b512bd02b30a1df6a38a95b70c2c8b3aca6faeddc3
Instruction Fuzzy Hash: F5A16C71D002598FEF20DFA8C941BEDBBB6FF48314F1885AAD809A7290D7759981CF91

Function 02982700 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02982936

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1d87fe074bccb65d40906566ccc6a0a02343081fc20ecfba945c7bced46faffb
Instruction ID: 324a44001f329bcd359dce727434e69ac70fc364a74ab7e692c07476a41391ad
Opcode Fuzzy Hash: 1d87fe074bccb65d40906566ccc6a0a02343081fc20ecfba945c7bced46faffb
Instruction Fuzzy Hash: 0A916C71D002598FEF20DF69C941BEDBBB6BF48314F1881A9DC09A7280DB759981CF91

Function 0281AD88 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0281AFDE

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 53375ee6764956dc04c504908827ab4388287215efa66f0fda4b4c2da8090a9c
Instruction ID: d306ec14058fe42b79abfa59a1238d4c54f93e178a147fb48a501afef0038231
Opcode Fuzzy Hash: 53375ee6764956dc04c504908827ab4388287215efa66f0fda4b4c2da8090a9c
Instruction Fuzzy Hash: 4C7125B8A01B058FDB28DF69D44475ABBF5FF88304F00892DD48AD7A80DB75E845CB91

Function 0281594D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02815A09

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5306726a41707363d3702df9147af81b29107e44064dd5a94c275b3726262ce1
Instruction ID: 59fd07cb5abbae6a676805d70ef475c8985c3a8e2b84386029384098199ebdc4
Opcode Fuzzy Hash: 5306726a41707363d3702df9147af81b29107e44064dd5a94c275b3726262ce1
Instruction Fuzzy Hash: 8F41E6B4C00619CFDB24CFA9C984BDDBBB5FF49304F60806AD409AB251D775694ACF50

Function 02814510 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02815A09

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0f30b154756a2fa6a6901554d1ecf5735291bb93cf96e9962e1cb86a3300e635
Instruction ID: 237a2d652939a4b8eaed32ed4dcf4bd4f3ba22bca693c79ebfeeccf2dc4ed33a
Opcode Fuzzy Hash: 0f30b154756a2fa6a6901554d1ecf5735291bb93cf96e9962e1cb86a3300e635
Instruction Fuzzy Hash: 6741C3B4C0071DCBDB24CFA9C984B9EBBB5BF88304F60805AD409AB295DB756949CF90

Function 04FA4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04FA4111

Memory Dump Source

Source File: 0000000D.00000002.1922792803.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4fa0000_rRQnnfB.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f3d6c5b5f5cb2d825e3fc0f44a5400db908065426bd79956dceb46d7ea460e96
Instruction ID: f756a6565c8aee59ceabaf44bd9de7accec33cb7ffcb43d78046ff3f16425e25
Opcode Fuzzy Hash: f3d6c5b5f5cb2d825e3fc0f44a5400db908065426bd79956dceb46d7ea460e96
Instruction Fuzzy Hash: E94138B9A00319DFDB14CF89C848AAABBF5FF88314F24C459D519AB321D375A841CFA1

Function 02815AC4 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7febf0e1f80017ef931ad954a4a12322de459ddb8edcac73651f8d98ed5360b
Instruction ID: addaacc5bd5629c1a9a4c81aac6e777c0a0b9bf870f2705060c0d94a1a49d7e9
Opcode Fuzzy Hash: c7febf0e1f80017ef931ad954a4a12322de459ddb8edcac73651f8d98ed5360b
Instruction Fuzzy Hash: D631C2B8804748CFDB11CFA8C9947DDBBB5FF96308F944189C015AB2D6C779A90ACB11

Function 02982560 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 029825E8

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6039298a8a11c9adbfd9be56cf172caa09bb7f9a9dc87be704dd8d5141457c3a
Instruction ID: eb0b3cf167182c7c825077fb6363d0f92f787278020844799ed9df15341ef4f3
Opcode Fuzzy Hash: 6039298a8a11c9adbfd9be56cf172caa09bb7f9a9dc87be704dd8d5141457c3a
Instruction Fuzzy Hash: D03188B6C003899FCB10DFA9D941BEEBBF1FF48320F14842AE968A7241C7389505DB61

Function 06CB67C7 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06CB7D28

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 56fc6ddc53394536111523bd874622d0c5744b90ef122bf35ca452ec57a8722b
Instruction ID: 50d97ab6716cdc4841b129921dd93e314810e335196c2d00151c164a0bbc1e2b
Opcode Fuzzy Hash: 56fc6ddc53394536111523bd874622d0c5744b90ef122bf35ca452ec57a8722b
Instruction Fuzzy Hash: EA317CB2C0825A9FDB01DFA9D8917DABFB4EF85314F14809AD818A7251E734A814CBE5

Function 0281CFBC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0281D62E,?,?,?,?,?), ref: 0281D6EF

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a1e663ab991cb7960c65a37687870b8c476c78d81227d6bab36d104d91f35127
Instruction ID: 03786e402c29fa8ebd72c7c6ed93c66ed24e60534261729844c5dce1fda4f0ec
Opcode Fuzzy Hash: a1e663ab991cb7960c65a37687870b8c476c78d81227d6bab36d104d91f35127
Instruction Fuzzy Hash: F12105B59002099FDB10CFAAD584ADEBFF8EB48314F14841AE918A7350D378A940CFA4

Function 029822D8 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0298235E

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 33dce842dbe114d02ac8c8ce45d1dfb899d536a87c01e2137127d8029fba2251
Instruction ID: 5deda43062c989f73951ac3c499d0570c9600a356b22f67aaa338226b54fe81e
Opcode Fuzzy Hash: 33dce842dbe114d02ac8c8ce45d1dfb899d536a87c01e2137127d8029fba2251
Instruction Fuzzy Hash: 642157B1D003099FDB14DFAAC485BAEBBF4EF88324F14842AD419A7240C7789945CFA1

Function 0281D661 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0281D62E,?,?,?,?,?), ref: 0281D6EF

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6fc31219dab8801ee9bf5abb85900ec0901719296126ed9d3e394dcffaf95815
Instruction ID: 5881660013a4d031884942cb01b5efb44bacbc2b6aadb53cf1b68d92c26b79b8
Opcode Fuzzy Hash: 6fc31219dab8801ee9bf5abb85900ec0901719296126ed9d3e394dcffaf95815
Instruction Fuzzy Hash: 4921E3B59002499FDB10CFAAD584ADEFBF8EB48324F14841AE918A7350D378A944CFA5

Function 029822E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0298235E

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: eab5ee1a14f3ebc7e12470ed13c65407636aa41b055c88418eeafd4e3ebd2a21
Instruction ID: 328f9fa8710db69084e827578508aa69a2d5c074f8a88d55ce7321a7deda9db6
Opcode Fuzzy Hash: eab5ee1a14f3ebc7e12470ed13c65407636aa41b055c88418eeafd4e3ebd2a21
Instruction Fuzzy Hash: F82138B1D003098FDB10DFAAC4857EEBBF8EF48324F14842AD519A7240D778A945CFA5

Function 02982568 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 029825E8

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c7876c22014c2b705b1bb255f690b554c9d1d683780a131ce959bafee69ad052
Instruction ID: ae1cb08349cdcb28352af3515dfd29a07f189542ce65b954e9d0b8619a32088c
Opcode Fuzzy Hash: c7876c22014c2b705b1bb255f690b554c9d1d683780a131ce959bafee69ad052
Instruction Fuzzy Hash: 8E2139B1D003499FDB10DFAAC881ADEFBF5FF48320F54842AE918A7240C7799501DBA5

Function 06CB7CB0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06CB7D28

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c2f7ed6f9a760f82f30a5a5b967f6ce7cc55575d6af695c7e754ef42e7949182
Instruction ID: 74f5ffc0af18a6d98d492b4de28ed4b1efa16ad8b53f96042509a4ebd2f68360
Opcode Fuzzy Hash: c2f7ed6f9a760f82f30a5a5b967f6ce7cc55575d6af695c7e754ef42e7949182
Instruction Fuzzy Hash: AE1114B5C0065A8FCB10CFA9E945AEEFBB4FF48724F24815AD818B7640D3746614CFA1

Function 06CB6820 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06CB7D28

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c2abb4d5fb0debe0c5ccecdc6d300715026ba98b8c798c46cff4b70b99530cfc
Instruction ID: 2bd78833115a71a79e52d7824dfdf37532f2fef2954cda7afb0b48f70c148dd6
Opcode Fuzzy Hash: c2abb4d5fb0debe0c5ccecdc6d300715026ba98b8c798c46cff4b70b99530cfc
Instruction Fuzzy Hash: 991114B1C046599BCB10CF9AE544AEEFBF4EB88320F14811AD818A7240D374A900CFE5

Function 029823B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02982426

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 919f52c1fb8dc325933bcbf77adf094ffd1d0ddf90a4428650600f93b3130b05
Instruction ID: 53cf2bc61dc73d63ae1639e55f33a3f28dc94b120570a337e0c1fdff50b3f322
Opcode Fuzzy Hash: 919f52c1fb8dc325933bcbf77adf094ffd1d0ddf90a4428650600f93b3130b05
Instruction Fuzzy Hash: E21156B29002499FCB10DFAAC845ADFBFF9EF88324F248419E919A7250C775A500DFA1

Function 029823B3 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02982426

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 189aa2914e4c74a73f832e2b49fedffbe61148eb39aebf378cda792c1cf42df1
Instruction ID: db3a641850abce508c8bd7d6506133f8faae009d33481823ffed029633f2f8ab
Opcode Fuzzy Hash: 189aa2914e4c74a73f832e2b49fedffbe61148eb39aebf378cda792c1cf42df1
Instruction Fuzzy Hash: 511156B2D003498FDB10DFA9C945BDEBBF5EF48324F24881AE919A7250C7759540DFA0

Function 02985BE3 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02985C45

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f65c1482a8379891d7c6e63279e3564d05feb03f22a3ae77e5f5b53ca68f95c8
Instruction ID: c433d630a5712d1dd48f7b18392d492afb09cde10d20bcc16740b0846a4856b5
Opcode Fuzzy Hash: f65c1482a8379891d7c6e63279e3564d05feb03f22a3ae77e5f5b53ca68f95c8
Instruction Fuzzy Hash: 771146B1800349CFCB10DF99DA85BEEBFF8EB08324F19844AD914A7201D374A948CFA0

Function 029807EC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02985C45

Memory Dump Source

Source File: 0000000D.00000002.1918441663.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2980000_rRQnnfB.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 796be6a779c14066e94cd98526f191c67e9ec0fb94a102b5a7c203ea869f82a2
Instruction ID: e532e7c65be68a9fadaf31c7a4a6ce5422519fd891341bfd2c4b32c09b413552
Opcode Fuzzy Hash: 796be6a779c14066e94cd98526f191c67e9ec0fb94a102b5a7c203ea869f82a2
Instruction Fuzzy Hash: 271122B58003499FDB10DF8AC985BDEBBF8EB48324F24841AE518A7200C375A944CFA1

Function 0281AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0281AFDE

Memory Dump Source

Source File: 0000000D.00000002.1918321271.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2810000_rRQnnfB.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 17a774dbc23d4bd9c6f3fdcc377f3e8ec7721e3dc3dca0c7eab2a945a56eebd4
Instruction ID: c42c3c02796462c5736ecd9eadcfce8808c6c686c40e5abda20f41e567a3c7ee
Opcode Fuzzy Hash: 17a774dbc23d4bd9c6f3fdcc377f3e8ec7721e3dc3dca0c7eab2a945a56eebd4
Instruction Fuzzy Hash: 891110BAC003498FCB14CF9AD444ADEFBF8EF88328F10841AD428A7640C379A545CFA1

Function 06CB7D60 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06CB7DC7

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a753137ab55f4ce29fcf74f794279a4241d32036caf4c1d0a6f8c1ca8ded01d1
Instruction ID: 39f2b04d5bba08436ad4a4346c00f6579c69c8871cb55b84a8ac79a51c8ab408
Opcode Fuzzy Hash: a753137ab55f4ce29fcf74f794279a4241d32036caf4c1d0a6f8c1ca8ded01d1
Instruction Fuzzy Hash: 171155B180024A8FDB10CFAAD545BEEFBF4EF48324F20846AD518A7251C378A944CFA1

Function 06CB682C Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06CB7DC7

Memory Dump Source

Source File: 0000000D.00000002.1924197651.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cb0000_rRQnnfB.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 74d945efce4b67ac3c3f6b5e6143afff2a4e142f9980e392c882ed903a905606
Instruction ID: 1d9e7f99274cf5266c5e562ddc9bfcb2b49116128a0042ce3e1fb80057d7a329
Opcode Fuzzy Hash: 74d945efce4b67ac3c3f6b5e6143afff2a4e142f9980e392c882ed903a905606
Instruction Fuzzy Hash: F81116B18003498FDB10CF9AD545BEEBBF8EB48324F24846AD918A3240D778A944CFA5

Function 027BD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1917941639.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27bd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed5abb50cf9d6316b8c872d3842f8fc70634ac5c4ea0ab950583234ba980cd9
Instruction ID: 6a9582fdd7b532b248737cb7c4c112deaaa814ad628a485eef1ee3f74bdd33a8
Opcode Fuzzy Hash: 9ed5abb50cf9d6316b8c872d3842f8fc70634ac5c4ea0ab950583234ba980cd9
Instruction Fuzzy Hash: 0721F1B2904280EFDB26DF14D9C4BA7BF65FF88314F24C569ED091A246C336D416CBA1

Function 027BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1917941639.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27bd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09077d12ed987ced41d2dc7d5979de10f269639d6002ed5221def839d2144b5a
Instruction ID: b1cc5996fb74c1d7757e88a0033c82cf0503580f54bc52693d86c8c2609a0448
Opcode Fuzzy Hash: 09077d12ed987ced41d2dc7d5979de10f269639d6002ed5221def839d2144b5a
Instruction Fuzzy Hash: 6B2125B1504204DFDB2ADF14D9C0B66BF65FF88324F24C569ED0A4B256C33AE456CBA2

Function 027CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1918001999.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27cd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24733d5c1350351452d71a0551b73f0a522834356f1639ddf378d80cf9e4c05a
Instruction ID: 8833cf5ef8e761abf881d72d4c9f78dcf698e26d211e42ae7613c64a6c5009fe
Opcode Fuzzy Hash: 24733d5c1350351452d71a0551b73f0a522834356f1639ddf378d80cf9e4c05a
Instruction Fuzzy Hash: 5521F5B5604204DFDB24DF28D5C4B26BB65FB84324F34C57DD94A4B256C336D487CA61

Function 027CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1918001999.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27cd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d3d2fa773ee2285f0165762b5d438cf45bddbf43b42db42900130466a60db7
Instruction ID: 41aa342753149a6c60b1200fe77d288040b7ea8812fac741530879750d36af37
Opcode Fuzzy Hash: a7d3d2fa773ee2285f0165762b5d438cf45bddbf43b42db42900130466a60db7
Instruction Fuzzy Hash: 1621F2B1504200EFDB25DF24D9C0B26BBA5FB88324F34C97DE94A4B25AC336D446CB61

Function 027CD007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1918001999.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27cd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9406098c94afd6bb8d93564fa179edcc9eee33c7a512cbf1e6aaab20eccf26d
Instruction ID: b1186ba5d8da66814c5a29aff225fdcaa1be8e105976e55f4605f9449307c44d
Opcode Fuzzy Hash: a9406098c94afd6bb8d93564fa179edcc9eee33c7a512cbf1e6aaab20eccf26d
Instruction Fuzzy Hash: D62180755093808FCB12CF24D590715BF71EB46314F28C5EED8498B6A7C33AD44ACB62

Function 027BD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1917941639.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27bd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
Instruction ID: 1c429eef06d43606f47dd38e3c5e110f997bef4e3def63cea4a67243da136843
Opcode Fuzzy Hash: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
Instruction Fuzzy Hash: 9721CD76804280DFCB16CF00D9C4B96BF62FF88314F24C1A9EC080A656C33AD42ACBA1

Function 027BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1917941639.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27bd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 1a765da26c50197a2b55241d02b42364dcbd33036f91f4c32fdc465b7bb44b82
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 2911DF72404240CFCB16CF00D5C4B56BF72FB84324F24C6A9DC090B656C33AE45ACBA2

Function 027CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1918001999.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27cd000_rRQnnfB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 6d598692442fe00c4d1374e0080efef08d43de090670ffb3141d3d8039f7cdf8
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 1A119075504240DFDB15CF24D5C4B16FB71FB84314F24C6AED8494B656C33AD44ACB51

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rRQnnfB.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12401240.ugp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44lcahnm.ysa.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_beaxd2fj.eub.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3bijr5y.gns.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sq0hpzw0.wyw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ualgpki3.sov.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_veieiips.qbt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypq2gapu.0wm.psm1

C:\Users\user\AppData\Local\Temp\tmpE51C.tmp

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe