Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
Analysis ID:1379474
MD5:ea3a7609e12fe069ec2968793646876e
SHA1:c727b1456e2c715cc80b992fe6c32ac70afc3402
SHA256:a6c2b68b46b6b478ae984fd861f1681688a64c2f1f3227256e6fd436be1569e0
Infos:

Detection

PoshC2
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected PoshC2
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PoshC2PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.
  • APT33
https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2

Malware Configuration

Threatname: PoshC2

{"C2 url": "https://139.59.72.48:9443"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PoshC2Yara detected PoshC2Joe Security
    00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PoshC2Yara detected PoshC2Joe Security
      00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PoshC2Yara detected PoshC2Joe Security
        Process Memory Space: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe PID: 5892JoeSecurity_PoshC2Yara detected PoshC2Joe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.unpackJoeSecurity_PoshC2Yara detected PoshC2Joe Security
            0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.unpackJoeSecurity_PoshC2Yara detected PoshC2Joe Security
              0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.unpackJoeSecurity_PoshC2Yara detected PoshC2Joe Security
                0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpackJoeSecurity_PoshC2Yara detected PoshC2Joe Security
                  0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpackJoeSecurity_PoshC2Yara detected PoshC2Joe Security
                    Click to see the 4 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: https://139.59.72.48:9443/bh/sync/aol/?cAvira URL Cloud: Label: malware
                    Source: https://139.59.72.48:9443Avira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpackMalware Configuration Extractor: PoshC2 {"C2 url": "https://139.59.72.48:9443"}
                    Multi AV Scanner detection for domain / URL
                    Source: https://139.59.72.48:9443/bh/sync/aol/?cVirustotal: Detection: 11%Perma Link
                    Source: https://139.59.72.48:9443Virustotal: Detection: 13%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeReversingLabs: Detection: 85%
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeVirustotal: Detection: 81%Perma Link
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeJoe Sandbox ML: detected
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01317E08 FindFirstFileExW,0_2_01317E08
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10007E04 FindFirstFileExW,0_2_10007E04

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://139.59.72.48:9443
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49710 -> 139.59.72.48:9443
                    Source: Joe Sandbox ViewIP Address: 139.59.72.48 139.59.72.48
                    Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: unknownTCP traffic detected without corresponding DNS query: 139.59.72.48
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://139.59.72.48:9443
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://139.59.72.48:9443/bh/sync/aol/?c
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://139.59.72.48:9443t-
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_013100310_2_01310031
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_013110B40_2_013110B4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_0131E8D40_2_0131E8D4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_0131DBF50_2_0131DBF5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_100010B00_2_100010B0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_1000E8D00_2_1000E8D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_1000DBF10_2_1000DBF1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: String function: 10002D00 appears 34 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: String function: 01312D04 appears 34 times
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedropper_cs.exe$ vs SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamedropper_cs.exe$ vs SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedropper_cs.exe$ vs SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/1@0/1
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_03
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeReversingLabs: Detection: 85%
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeVirustotal: Detection: 81%
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, Program.cs.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, Program.cs.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, Program.cs.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, Program.cs.Net Code: ImplantCore System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_001114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001114E0
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeStatic PE information: section name: .eh_fram
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01312D4A push ecx; ret 0_2_01312D5D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_0131EC10 pushad ; ret 0_2_0131EC11
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10002D46 push ecx; ret 0_2_10002D59
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to compare user and computer (likely to detect sandboxes)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: GetModuleHandleW,GetModuleFileNameA,StrStrIA,CreateThread,0_2_01311644
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: GetModuleHandleW,GetModuleFileNameA,StrStrIA,CreateThread,0_2_10001640
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599201Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599089Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598548Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598316Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596681Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596557Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596218Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596109Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595890Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595781Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595671Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595562Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595453Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595344Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595234Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595125Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595014Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594906Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594797Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594687Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594359Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594250Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594140Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594031Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593812Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593703Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593594Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593484Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeWindow / User API: threadDelayed 890Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeWindow / User API: threadDelayed 1528Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeWindow / User API: threadDelayed 7365Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 988Thread sleep time: -44500000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599201s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -599089s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -598984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -598875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -598548s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -598437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -598316s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596681s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596557s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -596000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -595014s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -594031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -593922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -593812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -593703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -593594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe TID: 7144Thread sleep time: -593484s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01317E08 FindFirstFileExW,0_2_01317E08
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10007E04 FindFirstFileExW,0_2_10007E04
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 50000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599201Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 599089Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598548Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 598316Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596681Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596557Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596218Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596109Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 596000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595890Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595781Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595671Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595562Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595453Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595344Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595234Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595125Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 595014Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594906Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594797Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594687Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594359Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594250Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594140Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 594031Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593812Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593703Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593594Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeThread delayed: delay time: 593484Jump to behavior
                    Source: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe, 00000000.00000002.4529328409.000000000148B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01315D1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01315D1F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_001114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001114E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_0131799B mov eax, dword ptr fs:[00000030h]0_2_0131799B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01310B11 mov eax, dword ptr fs:[00000030h]0_2_01310B11
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_013163A4 mov eax, dword ptr fs:[00000030h]0_2_013163A4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10007997 mov eax, dword ptr fs:[00000030h]0_2_10007997
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_100063A0 mov eax, dword ptr fs:[00000030h]0_2_100063A0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01319332 GetProcessHeap,0_2_01319332
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_0011116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,0_2_0011116C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_00111160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,0_2_00111160
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_001111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,0_2_001111A3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_001113C1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,0_2_001113C1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01315D1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01315D1F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01312BDD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01312BDD
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01312EAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01312EAD
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10005D1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10005D1B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10002EA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002EA9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_10002BD9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002BD9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject threads in other processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_001116F9 exit,OpenProcess,exit,VirtualAllocEx,VirtualAllocEx,exit,VirtualProtect,VirtualProtect,WriteProcessMemory,WriteProcessMemory,exit,CreateRemoteThread,CreateRemoteThread,CloseHandle,0_2_001116F9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01312A36 cpuid 0_2_01312A36
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeCode function: 0_2_01312D65 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_01312D65
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PoshC2
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe PID: 5892, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected PoshC2
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.1485480.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.147dd88.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe.3b087b0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.4529328409.000000000145A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4530257912.00000000019A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.4530469878.0000000003B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.RunPowerShellNET.8.14140.19596.exe PID: 5892, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                    Valid Accounts1
                    Native API                    		Path Interception11
                    Process Injection                    		1
                    Disable or Modify Tools                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
                    Virtualization/Sandbox Evasion                    		LSASS Memory121
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                    Non-Standard Port                    		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                    Domain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                    Process Injection                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Application Layer Protocol                    		Data Encrypted for ImpactDNS ServerEmail Addresses
                    Local AccountsCronLogin HookLogin Hook11
                    Deobfuscate/Decode Files or Information                    		NTDS21
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names
                    Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
                    Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
                    External Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.