Windows Analysis Report
Contract #U2116 KB #U2013 08152024 - 1.pif.exe

Overview

General Information

Sample name: Contract #U2116 KB #U2013 08152024 - 1.pif.exe
renamed because original name is a hash value
Original sample name: Contract KB 08152024 - 1.pif.exe
Analysis ID: 1517889
MD5: 0d691a633beee6186b92c949b1d517ec
SHA1: 9fdbbfe61d00c5a665b2ecbb289911174d398b3a
SHA256: 5ae089cf078ddd0de067269cc5b8334998c0bb38c7abd508733d51e79d8a792e
Tags: exepifRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["141.98.10.33:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: iyRY.pdb source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr
Source: Binary string: iyRY.pdbSHA256R source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then inc dword ptr [ebp-0Ch] 0_2_04C837AC
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 06DD6E47h 7_2_06DD66E8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 06DD2483h 7_2_06DD2250
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 06DD6644h 7_2_06DD6380
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 06DD92B0h 7_2_06DD8DB8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 06DD125Dh 7_2_06DD123C
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 06DD5322h 7_2_06DD530A
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_07DC3478
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 07DC3E7Ah 7_2_07DC3A58
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 4x nop then jmp 07DC42FAh 7_2_07DC3A58
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 4x nop then jmp 06C5447Fh 9_2_06C54A87

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49710 -> 141.98.10.33:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49710 -> 141.98.10.33:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 141.98.10.33:1912 -> 192.168.2.5:49710
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49708 -> 141.98.10.33:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49708 -> 141.98.10.33:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 141.98.10.33:1912 -> 192.168.2.5:49708
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 141.98.10.33:1912 -> 192.168.2.5:49710
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 141.98.10.33:1912 -> 192.168.2.5:49708
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 141.98.10.33:1912
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 141.98.10.33:1912
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTBALTICLT HOSTBALTICLT
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2228781019.000000000161E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2117587357.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 00000009.00000002.2167015302.0000000002737000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Detected potential crypto function
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_00A1D5BC 0_2_00A1D5BC
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C87180 0_2_04C87180
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C854FB 0_2_04C854FB
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C8551F 0_2_04C8551F
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C85530 0_2_04C85530
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C8F088 0_2_04C8F088
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C87170 0_2_04C87170
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 0_2_04C8EC50 0_2_04C8EC50
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_0136DC74 7_2_0136DC74
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD66E8 7_2_06DD66E8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD0590 7_2_06DD0590
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD12F0 7_2_06DD12F0
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD42B8 7_2_06DD42B8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD7218 7_2_06DD7218
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD0040 7_2_06DD0040
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD2E08 7_2_06DD2E08
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD3C78 7_2_06DD3C78
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD8DB8 7_2_06DD8DB8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD4A20 7_2_06DD4A20
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DDABB8 7_2_06DDABB8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DDB918 7_2_06DDB918
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD12E0 7_2_06DD12E0
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD3C6A 7_2_06DD3C6A
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD5920 7_2_06DD5920
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC2F70 7_2_07DC2F70
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC9770 7_2_07DC9770
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC0E60 7_2_07DC0E60
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC6628 7_2_07DC6628
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC3478 7_2_07DC3478
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC5C00 7_2_07DC5C00
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC12E0 7_2_07DC12E0
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC3A58 7_2_07DC3A58
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC19E8 7_2_07DC19E8
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC0040 7_2_07DC0040
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC0808 7_2_07DC0808
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC2828 7_2_07DC2828
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC3468 7_2_07DC3468
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC4AE0 7_2_07DC4AE0
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC3A47 7_2_07DC3A47
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_07DC0007 7_2_07DC0007
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_026CD5BC 9_2_026CD5BC
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C52538 9_2_06C52538
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C5439B 9_2_06C5439B
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C50D28 9_2_06C50D28
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C52533 9_2_06C52533
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C50D38 9_2_06C50D38
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C51248 9_2_06C51248
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C570F0 9_2_06C570F0
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_00E8DC74 12_2_00E8DC74
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_02BA8850 12_2_02BA8850
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_02BAEE58 12_2_02BAEE58
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_02BA0006 12_2_02BA0006
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_02BA0040 12_2_02BA0040
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_02BA8840 12_2_02BA8840
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_055BB5B0 12_2_055BB5B0
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_055B7660 12_2_055B7660
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_055B96C8 12_2_055B96C8
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_055BB170 12_2_055BB170
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_055B6928 12_2_055B6928
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_055BB9E8 12_2_055BB9E8
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_06F19700 12_2_06F19700
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_06F15648 12_2_06F15648
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_06F15638 12_2_06F15638
Sample file is different than original file name gathered from version info
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2115675768.00000000008AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2123176275.0000000006850000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000000.2065004701.00000000002B0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiyRY.exe6 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.00000000039FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.00000000039FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226506822.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226945726.00000000010E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Binary or memory string: OriginalFilenameiyRY.exe6 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
Uses 32bit PE files
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pnizSfmxsGVsXD.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, aob4t2heYGD5OpupvU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, aob4t2heYGD5OpupvU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.cs Security API names: _0020.SetAccessControl
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.cs Security API names: _0020.AddAccessRule
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.cs Security API names: _0020.SetAccessControl
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/11@0/1
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Mutant created: \Sessions\1\BaseNamedObjects\IZmDGqJiypaEKrNLtetGpeOr
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: C:\Users\user\AppData\Local\Temp\tmpFABF.tmp Jump to behavior
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000303C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File read: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: iyRY.pdb source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr
Source: Binary string: iyRY.pdbSHA256R source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, VentanaPrincipal.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: pnizSfmxsGVsXD.exe.0.dr, VentanaPrincipal.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.cs .Net Code: ETxi5qnsEW System.Reflection.Assembly.Load(byte[])
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.2786fac.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.cs .Net Code: ETxi5qnsEW System.Reflection.Assembly.Load(byte[])
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.4cd0000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 9.2.pnizSfmxsGVsXD.exe.2716f34.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: 0xB47BDC83 [Mon Dec 14 11:37:39 2065 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD1AE9 push E406D552h; iretd 7_2_06DD1AF5
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C55240 pushad ; iretd 9_2_06C55241
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 9_2_06C5421E push ebx; ret 9_2_06C5422E
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Code function: 12_2_02BAD442 push eax; ret 12_2_02BAD451
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe Static PE information: section name: .text entropy: 7.853179629516152
Source: pnizSfmxsGVsXD.exe.0.dr Static PE information: section name: .text entropy: 7.853179629516152
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, t8BfSJvdolSXb98ZHZ.cs High entropy of concatenated method names: 'zbJMWpuXaI', 'HwrM6okT9H', 'dM0MiFrcvU', 'RFsMNfUeVh', 'qBnMQUfCQC', 'cqAMZBB26X', 'sTgMLbGBZ6', 'BaMnONF12u', 'ra7njIT1do', 'bJunhre2i9'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, gUAnaPdgob4AM4q2shE.cs High entropy of concatenated method names: 'LcfMcuh1ot', 'sPLMbab0Et', 'YPAM5eYZk5', 'CwgMfgSqYV', 'GFEMFWrbjw', 'jYKM7uVKa6', 'SduMtdBQf7', 'NxlMyCF0O4', 'msDMS2QKPl', 'dgeM0Su9Cd'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, Vmtwl9Y9dRljbbaoBD.cs High entropy of concatenated method names: 'jhflyj34U3', 's4TlSkYcrB', 'ehhlpjDojl', 'nxRl4ocOo1', 'v5blHKTm8L', 'rD1lT8ZfZg', 'IfblA8Bj5R', 'pCQlwQW5KD', 'I8LlYP8nFa', 'wcLl9s1N5Z'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, aob4t2heYGD5OpupvU.cs High entropy of concatenated method names: 'qV6QBZT0Xl', 'AKHQDJdKb5', 'vW4QG6bUx6', 'QhTQ8Col8g', 'IEOQ1qJOrr', 'VEHQqlOrHF', 'zMlQOQXna7', 'kKUQj1NGuy', 'Iy9QhZoUp8', 'lfJQaMwSuT'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, Ka6k6Mwr0D0ucUCC1g.cs High entropy of concatenated method names: 'Uq2ZFk6704', 'C8OZtT3Jfx', 'buJEP9ffhk', 'J8aEHsecFT', 'E67ETmZW1o', 'yxsEupVLqf', 'mcaEAuyaK6', 'vIDEwBR84W', 'JFsEoBZvLv', 'nsOEYCkhFs'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, IYrgodMO50VvajIKYP.cs High entropy of concatenated method names: 'xLhnpGvV9X', 'WEOn4T9TF1', 'MXAnPVCX1N', 'BpZnHqssl1', 'yCwnBitGBd', 'ALbnTQYQrZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, JQQ8G91OrsrY7GJHO0.cs High entropy of concatenated method names: 'SgOerwAHlp', 'aMkeVLJipk', 'ToString', 'xAKeN92kLn', 'eQLeQWDH8w', 'SYheE1Rm6x', 'IDTeZ4SGqV', 'oTleLsqtSA', 'TFPektQOBT', 'ryMe21sfty'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, jYviHnddrr0PJ0tP51h.cs High entropy of concatenated method names: 'ToString', 'OHTJ6vIQOI', 'LS1Jix9nJE', 'YMjJs3nGEV', 'yyeJNkEDCh', 'LbLJQ50AVt', 'eelJESEWMc', 'HZpJZ8Dvk4', 'B92nhOo2c9lH05qiD75', 'LecFpRo6KiC0WXC2iuv'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, DpOUlnkoIN9Lf7ghK2.cs High entropy of concatenated method names: 'juVWk2B6pU', 'OA7W2NGb1o', 'I1lWr43bIa', 'F0WWVTIXuT', 'CXkW39sSKL', 't1tWX0g8qU', 'hG0PS83q47dhCY7jeT', 'VbkVZBT6oXepAISMd4', 'DDDWWmjZVE', 'nB7W6q9TcA'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, k3RSvedZF8e4WY8RjHA.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J4DJBVveI2', 'xjtJDUeSJH', 'wYxJGGj43m', 'XxSJ8wSELd', 'A87J14DWNx', 'EVMJqFgxqw', 'dArJOHQb01'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, gUSEHEnBKjhn4ujvyO.cs High entropy of concatenated method names: 'HGtEfVDiWJ', 'tKTE7bsDuD', 'rQTEy0JDXS', 'TfFESwGHLB', 'V0oE328SC2', 'eONEX2QEcB', 'z3vEeSc9cq', 'cUuEnTFEeT', 'pigEMWNvXl', 'h3tEJ8EUv8'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, k55U5StuS7Zy5fosYf.cs High entropy of concatenated method names: 'CcGkcbGHJH', 'so8kbAER6v', 'FJCk5OEAKT', 'o0wkfo9e0Z', 'De0kFyEK4n', 'lTak7PXEfL', 'uVIktNAKM7', 'nHukypPDS9', 'L43kSKseqo', 'FYgk02KkRm'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, mcaRcvfNXqfY8LNXHm.cs High entropy of concatenated method names: 'Dispose', 'kBiWhNGZ0e', 'npPC4lOVH8', 'htCII8fWAg', 'GCnWakeRCO', 'sd0Wz5Uf18', 'ProcessDialogKey', 'MHrCRHOYM8', 'vR1CWujLTb', 'eC0CCciZ8p'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, uYVhrQaCKVqgV6fxij.cs High entropy of concatenated method names: 'il5LsFpQa4', 'V3CLQBoHw5', 'MQILZRFDTv', 'DLZLkhWWkH', 'ljWL2aJZkh', 'z9bZ1ZdK8W', 'XvpZquVSNG', 'V3QZOvTPVR', 'X3nZjeNl3P', 'sO9ZhTwh3E'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.cs High entropy of concatenated method names: 'bqv6sfddrk', 'i1M6NepbBV', 'ogd6Ql3lUD', 'Erk6E743hw', 'es76ZaVsf7', 'O8d6LpHxyr', 'Hej6koOPHv', 'LHn62eoA0h', 'DFx6KgraYL', 'YY66rlN8Vk'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, plS6Ltr08cFW71LhNs.cs High entropy of concatenated method names: 'V7iej0TqXl', 'RUBeaLe4m3', 'NqPnRBc5VU', 'IlNnWH6ZVi', 'xs0e9SCC1d', 'y43emytF8m', 'gUWexafiUH', 'PWGeBrtIsA', 'cOkeDV9PoE', 'lk0eGyd46P'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, erBRkjxbU1T4atAV7u.cs High entropy of concatenated method names: 'KM15iKvrG', 'VsnfKgilK', 'XuO7y0CZg', 'D1CtVicod', 'kPZSFraIH', 'bmh01UQI4', 'Q2IrEY5IDjbp8XIILu', 'E3RABX2Kqv8Ec4emSP', 'Asknsh8ok', 'YP6JZWVwM'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, LNyn5VjGJTGPVJvtpV.cs High entropy of concatenated method names: 'ToString', 'akHX9TDCYg', 'WJ9X4ajyYL', 'vBQXPw8ivV', 'eSpXH8ki0S', 'QHOXTGYqA1', 'YXcXuLxCQv', 'nXtXAtrBA7', 'SWMXwXtD6J', 'kuLXoiRCgs'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, S2Pg5gAjEvxZ6e10mF.cs High entropy of concatenated method names: 'FP1nN1gFff', 'TRcnQ0F4DN', 'TDZnER2FfR', 'xNxnZEZF04', 'WEinLqABbH', 'PP1nkya7Er', 'LuWn25KhOE', 'yjvnKfHjpD', 'fXInrCX8Ok', 'L5JnVjWPvm'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, Pqya1HTwswL1L7khJx.cs High entropy of concatenated method names: 'mIqkNcSSyB', 'IvvkEe2MB5', 'eRSkLH7QFK', 'SLcLaEFmsh', 'kfXLzaa2Zm', 'Ak1kRI0I8x', 'L71kW3prDR', 'BcckC1ndw6', 'akIk6LOyIZ', 'PTski8px54'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.2786fac.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.2786fac.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, t8BfSJvdolSXb98ZHZ.cs High entropy of concatenated method names: 'zbJMWpuXaI', 'HwrM6okT9H', 'dM0MiFrcvU', 'RFsMNfUeVh', 'qBnMQUfCQC', 'cqAMZBB26X', 'sTgMLbGBZ6', 'BaMnONF12u', 'ra7njIT1do', 'bJunhre2i9'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, gUAnaPdgob4AM4q2shE.cs High entropy of concatenated method names: 'LcfMcuh1ot', 'sPLMbab0Et', 'YPAM5eYZk5', 'CwgMfgSqYV', 'GFEMFWrbjw', 'jYKM7uVKa6', 'SduMtdBQf7', 'NxlMyCF0O4', 'msDMS2QKPl', 'dgeM0Su9Cd'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, Vmtwl9Y9dRljbbaoBD.cs High entropy of concatenated method names: 'jhflyj34U3', 's4TlSkYcrB', 'ehhlpjDojl', 'nxRl4ocOo1', 'v5blHKTm8L', 'rD1lT8ZfZg', 'IfblA8Bj5R', 'pCQlwQW5KD', 'I8LlYP8nFa', 'wcLl9s1N5Z'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, aob4t2heYGD5OpupvU.cs High entropy of concatenated method names: 'qV6QBZT0Xl', 'AKHQDJdKb5', 'vW4QG6bUx6', 'QhTQ8Col8g', 'IEOQ1qJOrr', 'VEHQqlOrHF', 'zMlQOQXna7', 'kKUQj1NGuy', 'Iy9QhZoUp8', 'lfJQaMwSuT'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, Ka6k6Mwr0D0ucUCC1g.cs High entropy of concatenated method names: 'Uq2ZFk6704', 'C8OZtT3Jfx', 'buJEP9ffhk', 'J8aEHsecFT', 'E67ETmZW1o', 'yxsEupVLqf', 'mcaEAuyaK6', 'vIDEwBR84W', 'JFsEoBZvLv', 'nsOEYCkhFs'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, IYrgodMO50VvajIKYP.cs High entropy of concatenated method names: 'xLhnpGvV9X', 'WEOn4T9TF1', 'MXAnPVCX1N', 'BpZnHqssl1', 'yCwnBitGBd', 'ALbnTQYQrZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, JQQ8G91OrsrY7GJHO0.cs High entropy of concatenated method names: 'SgOerwAHlp', 'aMkeVLJipk', 'ToString', 'xAKeN92kLn', 'eQLeQWDH8w', 'SYheE1Rm6x', 'IDTeZ4SGqV', 'oTleLsqtSA', 'TFPektQOBT', 'ryMe21sfty'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, jYviHnddrr0PJ0tP51h.cs High entropy of concatenated method names: 'ToString', 'OHTJ6vIQOI', 'LS1Jix9nJE', 'YMjJs3nGEV', 'yyeJNkEDCh', 'LbLJQ50AVt', 'eelJESEWMc', 'HZpJZ8Dvk4', 'B92nhOo2c9lH05qiD75', 'LecFpRo6KiC0WXC2iuv'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, DpOUlnkoIN9Lf7ghK2.cs High entropy of concatenated method names: 'juVWk2B6pU', 'OA7W2NGb1o', 'I1lWr43bIa', 'F0WWVTIXuT', 'CXkW39sSKL', 't1tWX0g8qU', 'hG0PS83q47dhCY7jeT', 'VbkVZBT6oXepAISMd4', 'DDDWWmjZVE', 'nB7W6q9TcA'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, k3RSvedZF8e4WY8RjHA.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J4DJBVveI2', 'xjtJDUeSJH', 'wYxJGGj43m', 'XxSJ8wSELd', 'A87J14DWNx', 'EVMJqFgxqw', 'dArJOHQb01'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, gUSEHEnBKjhn4ujvyO.cs High entropy of concatenated method names: 'HGtEfVDiWJ', 'tKTE7bsDuD', 'rQTEy0JDXS', 'TfFESwGHLB', 'V0oE328SC2', 'eONEX2QEcB', 'z3vEeSc9cq', 'cUuEnTFEeT', 'pigEMWNvXl', 'h3tEJ8EUv8'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, k55U5StuS7Zy5fosYf.cs High entropy of concatenated method names: 'CcGkcbGHJH', 'so8kbAER6v', 'FJCk5OEAKT', 'o0wkfo9e0Z', 'De0kFyEK4n', 'lTak7PXEfL', 'uVIktNAKM7', 'nHukypPDS9', 'L43kSKseqo', 'FYgk02KkRm'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, mcaRcvfNXqfY8LNXHm.cs High entropy of concatenated method names: 'Dispose', 'kBiWhNGZ0e', 'npPC4lOVH8', 'htCII8fWAg', 'GCnWakeRCO', 'sd0Wz5Uf18', 'ProcessDialogKey', 'MHrCRHOYM8', 'vR1CWujLTb', 'eC0CCciZ8p'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, uYVhrQaCKVqgV6fxij.cs High entropy of concatenated method names: 'il5LsFpQa4', 'V3CLQBoHw5', 'MQILZRFDTv', 'DLZLkhWWkH', 'ljWL2aJZkh', 'z9bZ1ZdK8W', 'XvpZquVSNG', 'V3QZOvTPVR', 'X3nZjeNl3P', 'sO9ZhTwh3E'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.cs High entropy of concatenated method names: 'bqv6sfddrk', 'i1M6NepbBV', 'ogd6Ql3lUD', 'Erk6E743hw', 'es76ZaVsf7', 'O8d6LpHxyr', 'Hej6koOPHv', 'LHn62eoA0h', 'DFx6KgraYL', 'YY66rlN8Vk'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, plS6Ltr08cFW71LhNs.cs High entropy of concatenated method names: 'V7iej0TqXl', 'RUBeaLe4m3', 'NqPnRBc5VU', 'IlNnWH6ZVi', 'xs0e9SCC1d', 'y43emytF8m', 'gUWexafiUH', 'PWGeBrtIsA', 'cOkeDV9PoE', 'lk0eGyd46P'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, erBRkjxbU1T4atAV7u.cs High entropy of concatenated method names: 'KM15iKvrG', 'VsnfKgilK', 'XuO7y0CZg', 'D1CtVicod', 'kPZSFraIH', 'bmh01UQI4', 'Q2IrEY5IDjbp8XIILu', 'E3RABX2Kqv8Ec4emSP', 'Asknsh8ok', 'YP6JZWVwM'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, LNyn5VjGJTGPVJvtpV.cs High entropy of concatenated method names: 'ToString', 'akHX9TDCYg', 'WJ9X4ajyYL', 'vBQXPw8ivV', 'eSpXH8ki0S', 'QHOXTGYqA1', 'YXcXuLxCQv', 'nXtXAtrBA7', 'SWMXwXtD6J', 'kuLXoiRCgs'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, S2Pg5gAjEvxZ6e10mF.cs High entropy of concatenated method names: 'FP1nN1gFff', 'TRcnQ0F4DN', 'TDZnER2FfR', 'xNxnZEZF04', 'WEinLqABbH', 'PP1nkya7Er', 'LuWn25KhOE', 'yjvnKfHjpD', 'fXInrCX8Ok', 'L5JnVjWPvm'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, Pqya1HTwswL1L7khJx.cs High entropy of concatenated method names: 'mIqkNcSSyB', 'IvvkEe2MB5', 'eRSkLH7QFK', 'SLcLaEFmsh', 'kfXLzaa2Zm', 'Ak1kRI0I8x', 'L71kW3prDR', 'BcckC1ndw6', 'akIk6LOyIZ', 'PTski8px54'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.4cd0000.4.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.4cd0000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 9.2.pnizSfmxsGVsXD.exe.2716f34.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 9.2.pnizSfmxsGVsXD.exe.2716f34.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7340, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 2750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 25B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 99C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 6A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: A9C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: B9C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 1360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 46E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 70D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 80D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 8270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 9270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory allocated: 2A30000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5292 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4479 Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Window / User API: threadDelayed 1641 Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Window / User API: threadDelayed 1809 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Window / User API: threadDelayed 612 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Window / User API: threadDelayed 3499 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe TID: 4744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe TID: 7676 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe TID: 7272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe TID: 7400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe TID: 7804 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe TID: 7576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655LR]q
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 00000009.00000002.2170404608.0000000006AD6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: pnizSfmxsGVsXD.exe, 00000009.00000002.2170404608.0000000006AD6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Fp
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2250679526.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226945726.00000000011B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Code function: 7_2_06DD7218 LdrInitializeThunk, 7_2_06DD7218
Enables debug privileges
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Memory written: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Process created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Process created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226945726.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2248054631.0000000006576000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 7248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7548, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR]q@j
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR]q
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q%appdata%`,]qdC:\Users\user\AppData\Roaming`,]qdC:\Users\user\AppData\Roaming\Binance
Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q&%localappdata%\Coinomi\Coinomi\walletsLR]q4H
Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 7248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7548, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 7248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7548, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1517889 Sample: Contract #U2116 KB #U2013 0... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 12 other signatures 2->49 7 pnizSfmxsGVsXD.exe 5 2->7         started        10 Contract #U2116 KB #U2013 08152024 - 1.pif.exe 7 2->10         started        process3 file4 51 Multi AV Scanner detection for dropped file 7->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->53 55 Machine Learning detection for dropped file 7->55 59 2 other signatures 7->59 13 pnizSfmxsGVsXD.exe 5 2 7->13         started        16 schtasks.exe 1 7->16         started        33 C:\Users\user\AppData\...\pnizSfmxsGVsXD.exe, PE32 10->33 dropped 35 C:\...\pnizSfmxsGVsXD.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmpFABF.tmp, XML 10->37 dropped 39 Contract #U2116 KB...024 - 1.pif.exe.log, ASCII 10->39 dropped 57 Adds a directory exclusion to Windows Defender 10->57 18 Contract #U2116 KB #U2013 08152024 - 1.pif.exe 5 3 10->18         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        signatures5 process6 dnsIp7 61 Found many strings related to Crypto-Wallets (likely being stolen) 13->61 63 Tries to harvest and steal browser information (history, passwords, etc) 13->63 65 Tries to steal Crypto Currency Wallets 13->65 25 conhost.exe 16->25         started        41 141.98.10.33, 1912, 49708, 49710 HOSTBALTICLT Lithuania 18->41 67 Loading BitLocker PowerShell Module 21->67 27 WmiPrvSE.exe 21->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.98.10.33
 unknown Lithuania
209605 HOSTBALTICLT true