Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Snort IDS alert for network traffic

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49740 -> 174.136.29.143:587

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 174.136.29.143:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: IHNETUS IHNETUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 174.136.29.143:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.egyptian-international.com

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000324D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003156000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000319D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000339B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000341B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003306000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://egyptian-international.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000324D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003156000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000319D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000339B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000341B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003306000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.egyptian-international.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, oAKy.cs	.Net Code: xiG
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, oAKy.cs	.Net Code: xiG

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Window created: window name: CLIPBRDWNDCLASS

Malicious sample detected (through community Yara rule)

System Summary

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_031AD64C	0_2_031AD64C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_057F7880	0_2_057F7880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_057F0040	0_2_057F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_057F003A	0_2_057F003A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A3320	0_2_073A3320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073AF2D0	0_2_073AF2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9698	0_2_073A9698
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A3310	0_2_073A3310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073AA360	0_2_073AA360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A2158	0_2_073A2158
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9F28	0_2_073A9F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073ABB68	0_2_073ABB68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A1B58	0_2_073A1B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073ABB57	0_2_073ABB57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A1B47	0_2_073A1B47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9AF0	0_2_073A9AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9AE1	0_2_073A9AE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F74308	4_2_02F74308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F74BD8	4_2_02F74BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F7CEE0	4_2_02F7CEE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F73FC0	4_2_02F73FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F79C78	4_2_02F79C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06572EF0	4_2_06572EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_065756B0	4_2_065756B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06573F20	4_2_06573F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_0657BCE0	4_2_0657BCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_0657DCE0	4_2_0657DCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06579AB0	4_2_06579AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06578B52	4_2_06578B52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06570040	4_2_06570040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_0657360B	4_2_0657360B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06574FD0	4_2_06574FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_066B1128	4_2_066B1128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_066B1122	4_2_066B1122

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2025832945.00000000015EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2026934654.000000000324A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e94292-e7ba-498c-970d-76afa5e24b67.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e94292-e7ba-498c-970d-76afa5e24b67.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2029404387.00000000076F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466512615.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466314496.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e94292-e7ba-498c-970d-76afa5e24b67.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Binary or memory string: OriginalFilenamejxrb.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, ekKu0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, vKf1z6NvS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, ZNAvlD7qmXc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, U2doU2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, BgffYko.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, HrTdA63.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.322bd58.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.3223d40.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.3270858.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b30000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.log

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains method to dynamically call methods (often used by packers)

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, MainWindow.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	.Net Code: j3g0jZCWPg System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	.Net Code: j3g0jZCWPg System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_05806D28 pushfd ; ret	0_2_05806D35
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_05808EF8 push eax; mov dword ptr [esp], ecx	0_2_05808EFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_058099F0 push eax; ret	0_2_05809A03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_058058D0 pushfd ; ret	0_2_058058DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_066B8212 push 00000006h; ret	4_2_066B822C

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: section name: .text entropy: 7.9700877256777884

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	High entropy of concatenated method names: 'm1YE2xqRMm', 'rPVEy3yiY2', 'MEjEp5CDju', 'pnxEH8jJ2K', 'qxlE5MMwD7', 'lCFEtn9iBx', 'jIMEKAtsIK', 'JMwEPdyYRt', 'frcEbNDIDJ', 'vHUESDLINT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, X6tUZhmm5pMtrtDWlM3.cs	High entropy of concatenated method names: 'ToString', 'umw4Ey8fOC', 'peu408Y0nj', 'bn5426Hp9N', 'qZ64yqWCg9', 'DYH4p8Ksqt', 'RX74HQQItB', 'K1K45qb0wQ', 'CqerJXFu4jphXRjSYXH', 'OFWoetFwEC3itflrk8S'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, TkhYaId9iCRd8Ie6PP.cs	High entropy of concatenated method names: 'B4Mt2Wg8Dm', 'VY5tpAijKX', 'GiGt5PxXqR', 'wFXtKANy98', 'y7qtP4PGR2', 'PCn51w5CPA', 'Ixk5F4blGn', 'zMD53PeHtV', 'mQp5XsnBjI', 'UvK5A0lxk2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, TWiOUvXw3oSvwrnawM.cs	High entropy of concatenated method names: 'T7Zvyp4ocl', 'yb5vpuKH3L', 'QHVvHW0SfN', 'XKov5x6FAH', 'DxVvttn5PB', 'HF2vKryJbY', 'cdyvPqE03F', 'djovbcYLe2', 'AJCvSdVBg2', 'aDYvc1MrZg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	High entropy of concatenated method names: 'rGGp8ULNWf', 'IVppOD3yAO', 'eo3pG6XCdI', 'dvDpqSqJMg', 'simp1VGNm3', 'mGNpFmLLVL', 'GBrp3No98E', 'DEQpXJht6C', 'ATYpAyk8lu', 'xPJp9V6QJQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, dbd0ZllYoCMBYnSqGq.cs	High entropy of concatenated method names: 'G39IV0A4qI', 'DiaIDOwb4v', 'F2tIdNtdpx', 'MeqINC0lws', 'UaiI6DPXTn', 'yxdIgeYqF0', 'yQbIuhPpqu', 'TVuIYv9Oax', 'jQLIT0KNdV', 'ce7IMrV2gM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, GfvKNg8FlUXkwAxacj.cs	High entropy of concatenated method names: 'qY0sTRuYhd', 'IeWsBKAKUW', 'DBss8NWkc2', 'cb4sO3jnv2', 'JyjsNxccoR', 'Nc8sULCo3R', 'vaus6kjvdY', 'iR4sgXfQnp', 'lZxskICPHh', 'dB8sujwXPD'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, PDaU4xpDYAhDGS33p4.cs	High entropy of concatenated method names: 'Dispose', 'z2amAPqerL', 'dbPaNeAIuP', 'NDLqqtfwPp', 'zGWm9iOUvw', 'WoSmzvwrna', 'ProcessDialogKey', 'qMManeEvDI', 'C0ZamrPxph', 'xDNaaMnJGB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, oeVRTKGDuZ07uQC2DF.cs	High entropy of concatenated method names: 'ToString', 'I8weMF9MJa', 'Q3VeNvHI1A', 'URLeUCYyCc', 'hmVe63fHBj', 'woBeg7QJpt', 'IGQekcLLFI', 'klgeunLg84', 'f3yeYe089V', 'f68erowird'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, ee1D2AaOC57Srk4dlM.cs	High entropy of concatenated method names: 'MySjScVwA', 'v4sLqUdji', 'K0h7dmVc3', 'y8yhZS6ZJ', 'wPPDk2a4x', 'OTdWjLP5r', 'GL05mUlH0R2pC3yBWa', 'Hh2ZwhiOTTruJQqh3X', 'AfyvBpbSm', 'uoL4pshM2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, OnJGBK9hdbXeZoWUYe.cs	High entropy of concatenated method names: 'Vr4fmt4Wyt', 'la7fELq6wn', 'GVlf0M5M0j', 'Mlqfyb2Tgy', 'gVQfpiboKB', 'BCmf5TEvjL', 'v6JftpsHSN', 'R70v3Ig4U1', 'KLHvXRihRu', 'h1ZvAslUk7'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, ORjUlDDKPtytrYCPdD.cs	High entropy of concatenated method names: 'LChHL1yLRu', 'nPMH706867', 'O3PHVJwh8C', 'u0IHDGrChS', 'VjpHshm7RM', 'AtIHevfrk7', 'Ua1HwTDUp0', 'bvdHvksQ3K', 'sONHfax26T', 'WiYH4lVtsA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, W2r9RarKQsSukQqusj.cs	High entropy of concatenated method names: 'IEYKxD0m7y', 'NMpKiA7mKq', 'xYmKj2evEe', 'qF4KLrIKTt', 'uvJKQHnFN1', 'oZJK7N28fA', 'aWxKhuRJgb', 'tN8KVA2qXi', 'z48KDhuKvo', 'syAKWTmBb4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, o96P6BqloI87MOn9Lq.cs	High entropy of concatenated method names: 'JcWwS0DaXu', 'XHGwcBVV8F', 'ToString', 'xVFwy7dq6b', 'FMewp2s7Fi', 'BBmwHuNVrn', 'IKSw5cpdHn', 'WsxwtuR4Ad', 'j47wKbjTCj', 'kBawPZnxYM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, Y0PB5UmEbcllq2JVSxt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TjE48Euvvq', 'Crp4OFUxIT', 'zAA4GNDqqO', 'DNB4qhhBiN', 'Vu541ogHi4', 'bcm4FnFh6o', 'Vww43bMLYA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, rduKy2FmjfUSsOQjwi.cs	High entropy of concatenated method names: 'dX9wXN33MR', 'hPkw9P1Dtd', 'KBSvnA6dAl', 'ULIvm5b4W2', 'Po3wMGUgmC', 'YIcwBMNN8q', 'OorwlpsZxV', 'u8yw87yRSj', 'djdwOQpgu4', 'QsiwGnaRfu'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, SdNmAq0WER4tyJtucj.cs	High entropy of concatenated method names: 'NCVmKQHR5p', 'rhxmPG8MCt', 'EKPmStytrY', 'uPdmcDuLvd', 'eYomsabqkh', 'LaIme9iCRd', 'LDmvSrwADgZLsEw8wF', 'a69SA9Zq6E1vyHdpUq', 'S9nmmpu1PI', 'OFgmEC1x4P'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, LLvdX3W8MmagX2Yoab.cs	High entropy of concatenated method names: 'vgp5Qj7RDC', 'T8u5hl3K7Y', 'NVbHUa2Chh', 'sDLH6JvPbC', 'pnnHgJvsBl', 'nFtHkh3fWf', 'TcQHuHGfk1', 't6YHYR2qw9', 'kmHHrk6CoZ', 'JaUHTj1tl3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, avtspHmnXixpKH2HNMm.cs	High entropy of concatenated method names: 'U5AfxKDDXa', 'JRvfi2urlJ', 'AMsfjUJWPh', 'kkjfLQoA0s', 'iBPfQp4aLZ', 'Pt7f7AjkPk', 'iMEfhAKHxn', 'OIZfVH5lal', 'iZqfDmmUSq', 'dL4fWoS2ny'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, YbtekxupaYpLNiOGHo.cs	High entropy of concatenated method names: 'eMKKyfU3Tp', 'UpQKHN9Rej', 'Sc7Ktv3d4J', 'PhCt9SSYjE', 'JrctzOVvwd', 'fpZKn4aNBe', 'fvqKm1kJyG', 'i7WKaP6sOu', 'TdfKEdbi24', 'TRhK0819jd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	High entropy of concatenated method names: 'm1YE2xqRMm', 'rPVEy3yiY2', 'MEjEp5CDju', 'pnxEH8jJ2K', 'qxlE5MMwD7', 'lCFEtn9iBx', 'jIMEKAtsIK', 'JMwEPdyYRt', 'frcEbNDIDJ', 'vHUESDLINT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, X6tUZhmm5pMtrtDWlM3.cs	High entropy of concatenated method names: 'ToString', 'umw4Ey8fOC', 'peu408Y0nj', 'bn5426Hp9N', 'qZ64yqWCg9', 'DYH4p8Ksqt', 'RX74HQQItB', 'K1K45qb0wQ', 'CqerJXFu4jphXRjSYXH', 'OFWoetFwEC3itflrk8S'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, TkhYaId9iCRd8Ie6PP.cs	High entropy of concatenated method names: 'B4Mt2Wg8Dm', 'VY5tpAijKX', 'GiGt5PxXqR', 'wFXtKANy98', 'y7qtP4PGR2', 'PCn51w5CPA', 'Ixk5F4blGn', 'zMD53PeHtV', 'mQp5XsnBjI', 'UvK5A0lxk2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, TWiOUvXw3oSvwrnawM.cs	High entropy of concatenated method names: 'T7Zvyp4ocl', 'yb5vpuKH3L', 'QHVvHW0SfN', 'XKov5x6FAH', 'DxVvttn5PB', 'HF2vKryJbY', 'cdyvPqE03F', 'djovbcYLe2', 'AJCvSdVBg2', 'aDYvc1MrZg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	High entropy of concatenated method names: 'rGGp8ULNWf', 'IVppOD3yAO', 'eo3pG6XCdI', 'dvDpqSqJMg', 'simp1VGNm3', 'mGNpFmLLVL', 'GBrp3No98E', 'DEQpXJht6C', 'ATYpAyk8lu', 'xPJp9V6QJQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, dbd0ZllYoCMBYnSqGq.cs	High entropy of concatenated method names: 'G39IV0A4qI', 'DiaIDOwb4v', 'F2tIdNtdpx', 'MeqINC0lws', 'UaiI6DPXTn', 'yxdIgeYqF0', 'yQbIuhPpqu', 'TVuIYv9Oax', 'jQLIT0KNdV', 'ce7IMrV2gM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, GfvKNg8FlUXkwAxacj.cs	High entropy of concatenated method names: 'qY0sTRuYhd', 'IeWsBKAKUW', 'DBss8NWkc2', 'cb4sO3jnv2', 'JyjsNxccoR', 'Nc8sULCo3R', 'vaus6kjvdY', 'iR4sgXfQnp', 'lZxskICPHh', 'dB8sujwXPD'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, PDaU4xpDYAhDGS33p4.cs	High entropy of concatenated method names: 'Dispose', 'z2amAPqerL', 'dbPaNeAIuP', 'NDLqqtfwPp', 'zGWm9iOUvw', 'WoSmzvwrna', 'ProcessDialogKey', 'qMManeEvDI', 'C0ZamrPxph', 'xDNaaMnJGB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, oeVRTKGDuZ07uQC2DF.cs	High entropy of concatenated method names: 'ToString', 'I8weMF9MJa', 'Q3VeNvHI1A', 'URLeUCYyCc', 'hmVe63fHBj', 'woBeg7QJpt', 'IGQekcLLFI', 'klgeunLg84', 'f3yeYe089V', 'f68erowird'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, ee1D2AaOC57Srk4dlM.cs	High entropy of concatenated method names: 'MySjScVwA', 'v4sLqUdji', 'K0h7dmVc3', 'y8yhZS6ZJ', 'wPPDk2a4x', 'OTdWjLP5r', 'GL05mUlH0R2pC3yBWa', 'Hh2ZwhiOTTruJQqh3X', 'AfyvBpbSm', 'uoL4pshM2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, OnJGBK9hdbXeZoWUYe.cs	High entropy of concatenated method names: 'Vr4fmt4Wyt', 'la7fELq6wn', 'GVlf0M5M0j', 'Mlqfyb2Tgy', 'gVQfpiboKB', 'BCmf5TEvjL', 'v6JftpsHSN', 'R70v3Ig4U1', 'KLHvXRihRu', 'h1ZvAslUk7'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, ORjUlDDKPtytrYCPdD.cs	High entropy of concatenated method names: 'LChHL1yLRu', 'nPMH706867', 'O3PHVJwh8C', 'u0IHDGrChS', 'VjpHshm7RM', 'AtIHevfrk7', 'Ua1HwTDUp0', 'bvdHvksQ3K', 'sONHfax26T', 'WiYH4lVtsA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, W2r9RarKQsSukQqusj.cs	High entropy of concatenated method names: 'IEYKxD0m7y', 'NMpKiA7mKq', 'xYmKj2evEe', 'qF4KLrIKTt', 'uvJKQHnFN1', 'oZJK7N28fA', 'aWxKhuRJgb', 'tN8KVA2qXi', 'z48KDhuKvo', 'syAKWTmBb4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, o96P6BqloI87MOn9Lq.cs	High entropy of concatenated method names: 'JcWwS0DaXu', 'XHGwcBVV8F', 'ToString', 'xVFwy7dq6b', 'FMewp2s7Fi', 'BBmwHuNVrn', 'IKSw5cpdHn', 'WsxwtuR4Ad', 'j47wKbjTCj', 'kBawPZnxYM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, Y0PB5UmEbcllq2JVSxt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TjE48Euvvq', 'Crp4OFUxIT', 'zAA4GNDqqO', 'DNB4qhhBiN', 'Vu541ogHi4', 'bcm4FnFh6o', 'Vww43bMLYA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, rduKy2FmjfUSsOQjwi.cs	High entropy of concatenated method names: 'dX9wXN33MR', 'hPkw9P1Dtd', 'KBSvnA6dAl', 'ULIvm5b4W2', 'Po3wMGUgmC', 'YIcwBMNN8q', 'OorwlpsZxV', 'u8yw87yRSj', 'djdwOQpgu4', 'QsiwGnaRfu'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, SdNmAq0WER4tyJtucj.cs	High entropy of concatenated method names: 'NCVmKQHR5p', 'rhxmPG8MCt', 'EKPmStytrY', 'uPdmcDuLvd', 'eYomsabqkh', 'LaIme9iCRd', 'LDmvSrwADgZLsEw8wF', 'a69SA9Zq6E1vyHdpUq', 'S9nmmpu1PI', 'OFgmEC1x4P'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, LLvdX3W8MmagX2Yoab.cs	High entropy of concatenated method names: 'vgp5Qj7RDC', 'T8u5hl3K7Y', 'NVbHUa2Chh', 'sDLH6JvPbC', 'pnnHgJvsBl', 'nFtHkh3fWf', 'TcQHuHGfk1', 't6YHYR2qw9', 'kmHHrk6CoZ', 'JaUHTj1tl3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, avtspHmnXixpKH2HNMm.cs	High entropy of concatenated method names: 'U5AfxKDDXa', 'JRvfi2urlJ', 'AMsfjUJWPh', 'kkjfLQoA0s', 'iBPfQp4aLZ', 'Pt7f7AjkPk', 'iMEfhAKHxn', 'OIZfVH5lal', 'iZqfDmmUSq', 'dL4fWoS2ny'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, YbtekxupaYpLNiOGHo.cs	High entropy of concatenated method names: 'eMKKyfU3Tp', 'UpQKHN9Rej', 'Sc7Ktv3d4J', 'PhCt9SSYjE', 'JrctzOVvwd', 'fpZKn4aNBe', 'fvqKm1kJyG', 'i7WKaP6sOu', 'TdfKEdbi24', 'TRhK0819jd'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 8130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 9130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 92E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: A2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198093	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196343	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Window / User API: threadDelayed 1301			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Window / User API: threadDelayed 8570			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 3448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196343s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198093	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196343	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466783083.000000000146E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:!

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4467601113.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 6360, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2028861509.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2026934654.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4467601113.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4467601113.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 6360, type: MEMORYSTR

Found malware configuration

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2028861509.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2026934654.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
174.136.29.143	egyptian-international.com	United States		33494	IHNETUS	true

Contacted Domains

Name	IP	Active
egyptian-international.com	174.136.29.143	true
mail.egyptian-international.com	unknown	unknown

AV Detection

Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.egyptian-international.com", "Username": "nour@egyptian-international.com", "Password": "@@Nour60008"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Joe Sandbox ML: detected

Snort IDS alert for network traffic

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49710 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49723 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49724 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49725 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49726 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49727 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49728 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49729 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49730 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49731 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49732 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49735 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49736 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49737 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49740 -> 174.136.29.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49740 -> 174.136.29.143:587

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 174.136.29.143:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: IHNETUS IHNETUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 174.136.29.143:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.egyptian-international.com

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000324D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003156000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000319D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000339B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000341B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003306000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://egyptian-international.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000324D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003156000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000319D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000339B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000341B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.0000000003306000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4467601113.000000000304F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.egyptian-international.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, oAKy.cs	.Net Code: xiG
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, oAKy.cs	.Net Code: xiG

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Window created: window name: CLIPBRDWNDCLASS

Malicious sample detected (through community Yara rule)

System Summary

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_031AD64C	0_2_031AD64C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_057F7880	0_2_057F7880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_057F0040	0_2_057F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_057F003A	0_2_057F003A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A3320	0_2_073A3320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073AF2D0	0_2_073AF2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9698	0_2_073A9698
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A3310	0_2_073A3310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073AA360	0_2_073AA360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A2158	0_2_073A2158
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9F28	0_2_073A9F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073ABB68	0_2_073ABB68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A1B58	0_2_073A1B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073ABB57	0_2_073ABB57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A1B47	0_2_073A1B47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9AF0	0_2_073A9AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_073A9AE1	0_2_073A9AE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F74308	4_2_02F74308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F74BD8	4_2_02F74BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F7CEE0	4_2_02F7CEE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F73FC0	4_2_02F73FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_02F79C78	4_2_02F79C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06572EF0	4_2_06572EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_065756B0	4_2_065756B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06573F20	4_2_06573F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_0657BCE0	4_2_0657BCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_0657DCE0	4_2_0657DCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06579AB0	4_2_06579AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06578B52	4_2_06578B52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06570040	4_2_06570040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_0657360B	4_2_0657360B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_06574FD0	4_2_06574FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_066B1128	4_2_066B1128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_066B1122	4_2_066B1122

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2025832945.00000000015EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2026934654.000000000324A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e94292-e7ba-498c-970d-76afa5e24b67.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e94292-e7ba-498c-970d-76afa5e24b67.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000000.00000002.2029404387.00000000076F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466512615.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466314496.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename68e94292-e7ba-498c-970d-76afa5e24b67.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Binary or memory string: OriginalFilenamejxrb.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, ekKu0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, vKf1z6NvS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, ZNAvlD7qmXc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, U2doU2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, BgffYko.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, HrTdA63.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.322bd58.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.3223d40.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.3270858.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b30000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.log

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains method to dynamically call methods (often used by packers)

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, MainWindow.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	.Net Code: j3g0jZCWPg System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	.Net Code: j3g0jZCWPg System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_05806D28 pushfd ; ret	0_2_05806D35
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_05808EF8 push eax; mov dword ptr [esp], ecx	0_2_05808EFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_058099F0 push eax; ret	0_2_05809A03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 0_2_058058D0 pushfd ; ret	0_2_058058DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Code function: 4_2_066B8212 push 00000006h; ret	4_2_066B822C

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Static PE information: section name: .text entropy: 7.9700877256777884

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	High entropy of concatenated method names: 'm1YE2xqRMm', 'rPVEy3yiY2', 'MEjEp5CDju', 'pnxEH8jJ2K', 'qxlE5MMwD7', 'lCFEtn9iBx', 'jIMEKAtsIK', 'JMwEPdyYRt', 'frcEbNDIDJ', 'vHUESDLINT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, X6tUZhmm5pMtrtDWlM3.cs	High entropy of concatenated method names: 'ToString', 'umw4Ey8fOC', 'peu408Y0nj', 'bn5426Hp9N', 'qZ64yqWCg9', 'DYH4p8Ksqt', 'RX74HQQItB', 'K1K45qb0wQ', 'CqerJXFu4jphXRjSYXH', 'OFWoetFwEC3itflrk8S'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, TkhYaId9iCRd8Ie6PP.cs	High entropy of concatenated method names: 'B4Mt2Wg8Dm', 'VY5tpAijKX', 'GiGt5PxXqR', 'wFXtKANy98', 'y7qtP4PGR2', 'PCn51w5CPA', 'Ixk5F4blGn', 'zMD53PeHtV', 'mQp5XsnBjI', 'UvK5A0lxk2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, TWiOUvXw3oSvwrnawM.cs	High entropy of concatenated method names: 'T7Zvyp4ocl', 'yb5vpuKH3L', 'QHVvHW0SfN', 'XKov5x6FAH', 'DxVvttn5PB', 'HF2vKryJbY', 'cdyvPqE03F', 'djovbcYLe2', 'AJCvSdVBg2', 'aDYvc1MrZg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	High entropy of concatenated method names: 'rGGp8ULNWf', 'IVppOD3yAO', 'eo3pG6XCdI', 'dvDpqSqJMg', 'simp1VGNm3', 'mGNpFmLLVL', 'GBrp3No98E', 'DEQpXJht6C', 'ATYpAyk8lu', 'xPJp9V6QJQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, dbd0ZllYoCMBYnSqGq.cs	High entropy of concatenated method names: 'G39IV0A4qI', 'DiaIDOwb4v', 'F2tIdNtdpx', 'MeqINC0lws', 'UaiI6DPXTn', 'yxdIgeYqF0', 'yQbIuhPpqu', 'TVuIYv9Oax', 'jQLIT0KNdV', 'ce7IMrV2gM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, GfvKNg8FlUXkwAxacj.cs	High entropy of concatenated method names: 'qY0sTRuYhd', 'IeWsBKAKUW', 'DBss8NWkc2', 'cb4sO3jnv2', 'JyjsNxccoR', 'Nc8sULCo3R', 'vaus6kjvdY', 'iR4sgXfQnp', 'lZxskICPHh', 'dB8sujwXPD'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, PDaU4xpDYAhDGS33p4.cs	High entropy of concatenated method names: 'Dispose', 'z2amAPqerL', 'dbPaNeAIuP', 'NDLqqtfwPp', 'zGWm9iOUvw', 'WoSmzvwrna', 'ProcessDialogKey', 'qMManeEvDI', 'C0ZamrPxph', 'xDNaaMnJGB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, oeVRTKGDuZ07uQC2DF.cs	High entropy of concatenated method names: 'ToString', 'I8weMF9MJa', 'Q3VeNvHI1A', 'URLeUCYyCc', 'hmVe63fHBj', 'woBeg7QJpt', 'IGQekcLLFI', 'klgeunLg84', 'f3yeYe089V', 'f68erowird'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, ee1D2AaOC57Srk4dlM.cs	High entropy of concatenated method names: 'MySjScVwA', 'v4sLqUdji', 'K0h7dmVc3', 'y8yhZS6ZJ', 'wPPDk2a4x', 'OTdWjLP5r', 'GL05mUlH0R2pC3yBWa', 'Hh2ZwhiOTTruJQqh3X', 'AfyvBpbSm', 'uoL4pshM2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, OnJGBK9hdbXeZoWUYe.cs	High entropy of concatenated method names: 'Vr4fmt4Wyt', 'la7fELq6wn', 'GVlf0M5M0j', 'Mlqfyb2Tgy', 'gVQfpiboKB', 'BCmf5TEvjL', 'v6JftpsHSN', 'R70v3Ig4U1', 'KLHvXRihRu', 'h1ZvAslUk7'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, ORjUlDDKPtytrYCPdD.cs	High entropy of concatenated method names: 'LChHL1yLRu', 'nPMH706867', 'O3PHVJwh8C', 'u0IHDGrChS', 'VjpHshm7RM', 'AtIHevfrk7', 'Ua1HwTDUp0', 'bvdHvksQ3K', 'sONHfax26T', 'WiYH4lVtsA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, W2r9RarKQsSukQqusj.cs	High entropy of concatenated method names: 'IEYKxD0m7y', 'NMpKiA7mKq', 'xYmKj2evEe', 'qF4KLrIKTt', 'uvJKQHnFN1', 'oZJK7N28fA', 'aWxKhuRJgb', 'tN8KVA2qXi', 'z48KDhuKvo', 'syAKWTmBb4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, o96P6BqloI87MOn9Lq.cs	High entropy of concatenated method names: 'JcWwS0DaXu', 'XHGwcBVV8F', 'ToString', 'xVFwy7dq6b', 'FMewp2s7Fi', 'BBmwHuNVrn', 'IKSw5cpdHn', 'WsxwtuR4Ad', 'j47wKbjTCj', 'kBawPZnxYM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, Y0PB5UmEbcllq2JVSxt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TjE48Euvvq', 'Crp4OFUxIT', 'zAA4GNDqqO', 'DNB4qhhBiN', 'Vu541ogHi4', 'bcm4FnFh6o', 'Vww43bMLYA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, rduKy2FmjfUSsOQjwi.cs	High entropy of concatenated method names: 'dX9wXN33MR', 'hPkw9P1Dtd', 'KBSvnA6dAl', 'ULIvm5b4W2', 'Po3wMGUgmC', 'YIcwBMNN8q', 'OorwlpsZxV', 'u8yw87yRSj', 'djdwOQpgu4', 'QsiwGnaRfu'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, SdNmAq0WER4tyJtucj.cs	High entropy of concatenated method names: 'NCVmKQHR5p', 'rhxmPG8MCt', 'EKPmStytrY', 'uPdmcDuLvd', 'eYomsabqkh', 'LaIme9iCRd', 'LDmvSrwADgZLsEw8wF', 'a69SA9Zq6E1vyHdpUq', 'S9nmmpu1PI', 'OFgmEC1x4P'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, LLvdX3W8MmagX2Yoab.cs	High entropy of concatenated method names: 'vgp5Qj7RDC', 'T8u5hl3K7Y', 'NVbHUa2Chh', 'sDLH6JvPbC', 'pnnHgJvsBl', 'nFtHkh3fWf', 'TcQHuHGfk1', 't6YHYR2qw9', 'kmHHrk6CoZ', 'JaUHTj1tl3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, avtspHmnXixpKH2HNMm.cs	High entropy of concatenated method names: 'U5AfxKDDXa', 'JRvfi2urlJ', 'AMsfjUJWPh', 'kkjfLQoA0s', 'iBPfQp4aLZ', 'Pt7f7AjkPk', 'iMEfhAKHxn', 'OIZfVH5lal', 'iZqfDmmUSq', 'dL4fWoS2ny'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.76f0000.12.raw.unpack, YbtekxupaYpLNiOGHo.cs	High entropy of concatenated method names: 'eMKKyfU3Tp', 'UpQKHN9Rej', 'Sc7Ktv3d4J', 'PhCt9SSYjE', 'JrctzOVvwd', 'fpZKn4aNBe', 'fvqKm1kJyG', 'i7WKaP6sOu', 'TdfKEdbi24', 'TRhK0819jd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, n0aSXdPOOVLlnQcJpI.cs	High entropy of concatenated method names: 'm1YE2xqRMm', 'rPVEy3yiY2', 'MEjEp5CDju', 'pnxEH8jJ2K', 'qxlE5MMwD7', 'lCFEtn9iBx', 'jIMEKAtsIK', 'JMwEPdyYRt', 'frcEbNDIDJ', 'vHUESDLINT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, X6tUZhmm5pMtrtDWlM3.cs	High entropy of concatenated method names: 'ToString', 'umw4Ey8fOC', 'peu408Y0nj', 'bn5426Hp9N', 'qZ64yqWCg9', 'DYH4p8Ksqt', 'RX74HQQItB', 'K1K45qb0wQ', 'CqerJXFu4jphXRjSYXH', 'OFWoetFwEC3itflrk8S'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, TkhYaId9iCRd8Ie6PP.cs	High entropy of concatenated method names: 'B4Mt2Wg8Dm', 'VY5tpAijKX', 'GiGt5PxXqR', 'wFXtKANy98', 'y7qtP4PGR2', 'PCn51w5CPA', 'Ixk5F4blGn', 'zMD53PeHtV', 'mQp5XsnBjI', 'UvK5A0lxk2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, TWiOUvXw3oSvwrnawM.cs	High entropy of concatenated method names: 'T7Zvyp4ocl', 'yb5vpuKH3L', 'QHVvHW0SfN', 'XKov5x6FAH', 'DxVvttn5PB', 'HF2vKryJbY', 'cdyvPqE03F', 'djovbcYLe2', 'AJCvSdVBg2', 'aDYvc1MrZg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, DQHR5pVfhxG8MCtHrX.cs	High entropy of concatenated method names: 'rGGp8ULNWf', 'IVppOD3yAO', 'eo3pG6XCdI', 'dvDpqSqJMg', 'simp1VGNm3', 'mGNpFmLLVL', 'GBrp3No98E', 'DEQpXJht6C', 'ATYpAyk8lu', 'xPJp9V6QJQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, dbd0ZllYoCMBYnSqGq.cs	High entropy of concatenated method names: 'G39IV0A4qI', 'DiaIDOwb4v', 'F2tIdNtdpx', 'MeqINC0lws', 'UaiI6DPXTn', 'yxdIgeYqF0', 'yQbIuhPpqu', 'TVuIYv9Oax', 'jQLIT0KNdV', 'ce7IMrV2gM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, GfvKNg8FlUXkwAxacj.cs	High entropy of concatenated method names: 'qY0sTRuYhd', 'IeWsBKAKUW', 'DBss8NWkc2', 'cb4sO3jnv2', 'JyjsNxccoR', 'Nc8sULCo3R', 'vaus6kjvdY', 'iR4sgXfQnp', 'lZxskICPHh', 'dB8sujwXPD'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, PDaU4xpDYAhDGS33p4.cs	High entropy of concatenated method names: 'Dispose', 'z2amAPqerL', 'dbPaNeAIuP', 'NDLqqtfwPp', 'zGWm9iOUvw', 'WoSmzvwrna', 'ProcessDialogKey', 'qMManeEvDI', 'C0ZamrPxph', 'xDNaaMnJGB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, oeVRTKGDuZ07uQC2DF.cs	High entropy of concatenated method names: 'ToString', 'I8weMF9MJa', 'Q3VeNvHI1A', 'URLeUCYyCc', 'hmVe63fHBj', 'woBeg7QJpt', 'IGQekcLLFI', 'klgeunLg84', 'f3yeYe089V', 'f68erowird'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, ee1D2AaOC57Srk4dlM.cs	High entropy of concatenated method names: 'MySjScVwA', 'v4sLqUdji', 'K0h7dmVc3', 'y8yhZS6ZJ', 'wPPDk2a4x', 'OTdWjLP5r', 'GL05mUlH0R2pC3yBWa', 'Hh2ZwhiOTTruJQqh3X', 'AfyvBpbSm', 'uoL4pshM2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, OnJGBK9hdbXeZoWUYe.cs	High entropy of concatenated method names: 'Vr4fmt4Wyt', 'la7fELq6wn', 'GVlf0M5M0j', 'Mlqfyb2Tgy', 'gVQfpiboKB', 'BCmf5TEvjL', 'v6JftpsHSN', 'R70v3Ig4U1', 'KLHvXRihRu', 'h1ZvAslUk7'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, ORjUlDDKPtytrYCPdD.cs	High entropy of concatenated method names: 'LChHL1yLRu', 'nPMH706867', 'O3PHVJwh8C', 'u0IHDGrChS', 'VjpHshm7RM', 'AtIHevfrk7', 'Ua1HwTDUp0', 'bvdHvksQ3K', 'sONHfax26T', 'WiYH4lVtsA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, W2r9RarKQsSukQqusj.cs	High entropy of concatenated method names: 'IEYKxD0m7y', 'NMpKiA7mKq', 'xYmKj2evEe', 'qF4KLrIKTt', 'uvJKQHnFN1', 'oZJK7N28fA', 'aWxKhuRJgb', 'tN8KVA2qXi', 'z48KDhuKvo', 'syAKWTmBb4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, o96P6BqloI87MOn9Lq.cs	High entropy of concatenated method names: 'JcWwS0DaXu', 'XHGwcBVV8F', 'ToString', 'xVFwy7dq6b', 'FMewp2s7Fi', 'BBmwHuNVrn', 'IKSw5cpdHn', 'WsxwtuR4Ad', 'j47wKbjTCj', 'kBawPZnxYM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, Y0PB5UmEbcllq2JVSxt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TjE48Euvvq', 'Crp4OFUxIT', 'zAA4GNDqqO', 'DNB4qhhBiN', 'Vu541ogHi4', 'bcm4FnFh6o', 'Vww43bMLYA'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, rduKy2FmjfUSsOQjwi.cs	High entropy of concatenated method names: 'dX9wXN33MR', 'hPkw9P1Dtd', 'KBSvnA6dAl', 'ULIvm5b4W2', 'Po3wMGUgmC', 'YIcwBMNN8q', 'OorwlpsZxV', 'u8yw87yRSj', 'djdwOQpgu4', 'QsiwGnaRfu'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, SdNmAq0WER4tyJtucj.cs	High entropy of concatenated method names: 'NCVmKQHR5p', 'rhxmPG8MCt', 'EKPmStytrY', 'uPdmcDuLvd', 'eYomsabqkh', 'LaIme9iCRd', 'LDmvSrwADgZLsEw8wF', 'a69SA9Zq6E1vyHdpUq', 'S9nmmpu1PI', 'OFgmEC1x4P'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, LLvdX3W8MmagX2Yoab.cs	High entropy of concatenated method names: 'vgp5Qj7RDC', 'T8u5hl3K7Y', 'NVbHUa2Chh', 'sDLH6JvPbC', 'pnnHgJvsBl', 'nFtHkh3fWf', 'TcQHuHGfk1', 't6YHYR2qw9', 'kmHHrk6CoZ', 'JaUHTj1tl3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, avtspHmnXixpKH2HNMm.cs	High entropy of concatenated method names: 'U5AfxKDDXa', 'JRvfi2urlJ', 'AMsfjUJWPh', 'kkjfLQoA0s', 'iBPfQp4aLZ', 'Pt7f7AjkPk', 'iMEfhAKHxn', 'OIZfVH5lal', 'iZqfDmmUSq', 'dL4fWoS2ny'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.45c6930.9.raw.unpack, YbtekxupaYpLNiOGHo.cs	High entropy of concatenated method names: 'eMKKyfU3Tp', 'UpQKHN9Rej', 'Sc7Ktv3d4J', 'PhCt9SSYjE', 'JrctzOVvwd', 'fpZKn4aNBe', 'fvqKm1kJyG', 'i7WKaP6sOu', 'TdfKEdbi24', 'TRhK0819jd'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 8130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 9130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 92E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: A2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198093	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196343	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Window / User API: threadDelayed 1301			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Window / User API: threadDelayed 8570			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 3448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1199078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1198093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1197109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe TID: 5816	Thread sleep time: -1196343s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1198093	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1197109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Thread delayed: delay time: 1196343	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe, 00000004.00000002.4466783083.000000000146E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:!

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4467601113.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 6360, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.5b00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.320986c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2028861509.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2026934654.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4467601113.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44fd360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe.44c2340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4466314496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4467601113.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027399991.00000000043BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11526.16693.exe PID: 6360, type: MEMORYSTR