IOC Report
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\lnYkIr.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lnYkIr.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzuq32ob.u1b.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv5xasf4.rpi.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga4hat10.ybz.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5tjpzaf.s5s.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlawgkar.oii.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny3uspx2.xmw.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhe4w4cg.g22.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqq2bpia.wp5.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
XML 1.0 document, ASCII text
dropped
C:\Users\user\AppData\Roaming\lnYkIr.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
malicious
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
malicious
C:\Users\user\AppData\Roaming\lnYkIr.exe
C:\Users\user\AppData\Roaming\lnYkIr.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
malicious
C:\Users\user\AppData\Roaming\lnYkIr.exe
C:\Users\user\AppData\Roaming\lnYkIr.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
unknown
http://ocsp.sectigo.com0A
unknown
http://ip-api.com/line/?fields=hostingyi;
unknown
https://sectigo.com/CPS0
unknown
https://account.dyn.com/
unknown
http://us2.smtp.mailhostbox.com
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://ip-api.com/line/?fields=hostingCi
unknown
http://crl.usertr
unknown
http://ocsp.usertru
unknown
http://ip-api.com/line/?fields=hosting
208.95.112.1
http://ip-api.com
unknown