Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Analysis ID:	1431282
MD5:	d760dc358592d6717d4d6ca1ca0b4a41
SHA1:	c9cecc6110f3568c4b8d38c95f834b3bf7a7c0d8
SHA256:	87c5e257097fbb317f8f64250f0796574dfaf1e132e4819dc9c62d9d59c227dd
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe" MD5: D760DC358592D6717D4D6CA1CA0B4A41)

SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe (PID: 4856 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe" MD5: D760DC358592D6717D4D6CA1CA0B4A41)

SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe (PID: 2928 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe" MD5: D760DC358592D6717D4D6CA1CA0B4A41)

SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe" MD5: D760DC358592D6717D4D6CA1CA0B4A41)

SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe (PID: 5080 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe" MD5: D760DC358592D6717D4D6CA1CA0B4A41)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "N@DRpoY0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2069338415.0000000003F19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2073329102.0000000005960000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3309198673.000000000301E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 5080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 5080	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33eaf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33f21:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33fab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3403d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x340a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34119:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x341af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3423f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x320af:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32121:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x321ab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3223d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x322a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32319:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x323af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3243f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb22cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xed8ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x128d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb2341:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xed961:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x128d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb23cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xed9eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x128e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb245d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xeda7d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x128e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb24c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xedae7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x128f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb2539:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xedb59:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x128f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb25cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xedbef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x12900f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33eaf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f4cf:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa8ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33f21:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f541:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaa961:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33fab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f5cb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaa9eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3403d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f65d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaaa7d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x340a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f6c7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaaae7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34119:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f739:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaab59:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x341af:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f7cf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaabef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x1306ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16bd0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a712f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x130761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16bd81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a71a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1307eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16be0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a722b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x13087d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16be9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a72bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1308e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16bf07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a7327:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x130959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16bf79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a7399:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1309ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16c00f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a742f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, Initiated: true, ProcessId: 5080, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "N@DRpoY0"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tRZtZ.pdb source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source:	Binary string: tRZtZ.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 208.91.199.224:587

Source: Joe Sandbox View

IP Address: 208.91.199.224 208.91.199.224

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 208.91.199.224:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3315006708.0000000006A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, cPKWk.cs

.Net Code: jKc2cDf

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_02D9D5BC	0_2_02D9D5BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06058CB8	0_2_06058CB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06059B68	0_2_06059B68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605CBC0	0_2_0605CBC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605C8A8	0_2_0605C8A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_060579C8	0_2_060579C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605BE78	0_2_0605BE78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06056EB8	0_2_06056EB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06058718	0_2_06058718
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605BC30	0_2_0605BC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605AA08	0_2_0605AA08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06058250	0_2_06058250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06050006	0_2_06050006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_06050040	0_2_06050040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605D850	0_2_0605D850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 0_2_0605B8C0	0_2_0605B8C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_01674A98	5_2_01674A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_01679C08	5_2_01679C08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_01673E80	5_2_01673E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_016741C8	5_2_016741C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_0167D2B0	5_2_0167D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_065656D0	5_2_065656D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_06562EF0	5_2_06562EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_06563F48	5_2_06563F48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_0656BD08	5_2_0656BD08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_065605B8	5_2_065605B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_06569AE0	5_2_06569AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_06568BA0	5_2_06568BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_06563650	5_2_06563650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_06564FF0	5_2_06564FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Code function: 5_2_01679C01	5_2_01679C01

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2063391707.0000000003067000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec85b37e2-75b0-4234-9c02-552db01b2b21.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000000.2049159854.0000000000C3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametRZtZ.exen' vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2072063764.0000000004F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2062074347.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec85b37e2-75b0-4234-9c02-552db01b2b21.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307195711.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec85b37e2-75b0-4234-9c02-552db01b2b21.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307479640.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Binary or memory string: OriginalFilenametRZtZ.exen' vs SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, d6xQSBapuxcv9EN06s.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, d6xQSBapuxcv9EN06s.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, d6xQSBapuxcv9EN06s.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, zrWCPG3dLvJK3EgkMW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, zrWCPG3dLvJK3EgkMW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, d6xQSBapuxcv9EN06s.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, d6xQSBapuxcv9EN06s.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, d6xQSBapuxcv9EN06s.cs	Security API names: _0020.AddAccessRule

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5990000.12.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.32eb258.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.2f4f0c8.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.2f5f484.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/1@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tRZtZ.pdb source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Source:	Binary string: tRZtZ.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, d6xQSBapuxcv9EN06s.cs	.Net Code: XF7ni4DdhA System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, d6xQSBapuxcv9EN06s.cs	.Net Code: XF7ni4DdhA System.Reflection.Assembly.Load(byte[])

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: 0x83A41C42 [Tue Dec 27 03:47:14 2039 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Code function: 0_2_06053E3A push ds; ret

0_2_06053E3B

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Static PE information: section name: .text entropy: 7.9824303162566155

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, tI2pr9waypbr6FZsTC.cs	High entropy of concatenated method names: 'EcwiT8RtC', 'dfxydkXcD', 'wtuVZebXJ', 'C7oWV3uOL', 'q9yl6i5nU', 'zplGiKm3Q', 'mZkcZmPGvxEXLc6w0Q', 'NEJZnripPmBNMLfg4r', 'I8kJjQ2vY', 'pSt9H76Aj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, cMa5f2nkbwMSJ9jBMr.cs	High entropy of concatenated method names: 'Mr8gQOebUW', 'd1Igrg8pPq', 'KXrgT8M38p', 'QItTMpDnll', 'z2GTzPQC9D', 'BDtgP5rtNP', 'emjgXg30mN', 'v8xgDCPAPF', 'c1Ug7MyFmn', 'RkYgnBfRhs'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, kRMRZ7dipxXsDCZVAAj.cs	High entropy of concatenated method names: 'YshkZuoqxu', 'Ap3kurY9ta', 'RCGki4trOc', 'KX3kyQ0apV', 'AyOkA3G8vr', 'QqqkVVrNe1', 'CTSkW1MQnH', 'bbukpCBgFX', 'NuWklf2UtD', 'sKOkGTt91I'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, EMO7B1gN4QWasy0VHo.cs	High entropy of concatenated method names: 'tEAwpNEmuN', 'X80wlfgN8L', 'pwWwBdItrH', 'FHCw5BuWNh', 'RpSwmByXYc', 'hALwY3Tffv', 'CKZws6Kfcn', 'Dv4wfmcA8W', 'dhnw8RQ2ot', 'EBWwR9kUAq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, ESd1vpSgRUx49WWX2w.cs	High entropy of concatenated method names: 'SrdJBtGryw', 'kM3J5Mhrky', 'UVUJxYN7Ng', 'mDFJmIYjkH', 'tfmJ6FH4KX', 'wssJYZAavU', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, uQ3W5Ck4LyfS8CSIuG.cs	High entropy of concatenated method names: 'IgYgZFsGUU', 'Pfsgu03RnB', 'qyOgi59VY3', 'pvjgyePU9u', 'bxTgAg05Ki', 'y8igVqSHYi', 'x4RgWshfNQ', 'jXVgpRlvQE', 'RJNglFTlky', 'M8igGGxt76'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, dsn0tHzswp5nEwEdfH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XOJkws8Cjw', 'YJskCXZZni', 'Pf6kFDuYMQ', 'KU9kIk4mPl', 'eYNkJDBV0b', 'hUokk0OZwQ', 'Fkwk9fHcq9'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, zAxcuj6YFTwcHDobjA.cs	High entropy of concatenated method names: 'L9tkXnAfYW', 'FQ8k70nAts', 'eXeknMpEVn', 'mfYkQMOkKv', 'PXOkS42kew', 'AJjkjYdVxg', 'ChpkTe2uoV', 'AffJOdRMeh', 'CSMJNbUiiG', 'j3wJvnOT1j'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, zrWCPG3dLvJK3EgkMW.cs	High entropy of concatenated method names: 'XgxS67tmaY', 'oZlS0YVkry', 'MenSh9QvLQ', 'M7pSLAUGeA', 'VFmSEiOTSR', 'H4PS4rcEFO', 'FerSOHXrUK', 'p7ISNfGRBT', 'O6OSvgnof5', 'MkoSMlH5G6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, tFeiT0I3vQIcnwVjg1.cs	High entropy of concatenated method names: 'XO2rynXUjt', 'EXlrVjhDBa', 'IQirpcQnGv', 'k41rlkexWU', 'o3xrCkY0ZO', 'cTerFcD5YX', 'wvgrIHackT', 'cCSrJv4Juj', 'jqorklEgUW', 'O5Ar9Pc4lN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, zmYWwDZ8FykQ1x2sQs.cs	High entropy of concatenated method names: 'sWdIU71xka', 'eRVIdBpZKt', 'ToString', 'ACGIQX1xyj', 'XkAISEuLnx', 'W6TIrUXJ2v', 'CF3IjAWLBb', 'dIIITaXyPL', 'kkBIgNi8Rj', 'yP4IebslcS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, d6xQSBapuxcv9EN06s.cs	High entropy of concatenated method names: 'GK47thRnjx', 'C9d7QUoPPg', 'KGi7SIXdlR', 'nSQ7rjQmaF', 'FLp7j93riK', 'GWs7T0wim7', 'gvu7gwQ23l', 'iPb7e5q6cZ', 'xD473KCIiE', 'UYX7UlWEHS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, GIM2cLv1BMT29pRR3L.cs	High entropy of concatenated method names: 'ksmXgysZLR', 'f9oXeZQ0gN', 'THtXU3RK9t', 'G3UXdDJpRH', 'ukpXCj5rRg', 'taXXFLkBnm', 'e0v2hVSQRoJkCTXiCq', 'DxU6WEVZZgNrqnPYyZ', 'XeFXXsDLIa', 'StkX7prSEG'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, lOv9FRd2NPqO1PlBJQs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AU296TyiLY', 'aLZ90BOtxc', 'LWc9hgroNT', 'BYR9LfcXca', 'hXg9Emk8f3', 'llK94PagMR', 'xy39OtJpFF'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, PvRT5FjPqtsEToTf1L.cs	High entropy of concatenated method names: 'Dispose', 'JnLXvikI01', 'ROGD5l638m', 'VOcqqYiVvy', 'NgoXMR8YGd', 'a1OXzMgo8Q', 'ProcessDialogKey', 'sCODPDXkAQ', 'PZUDXfDhAG', 'HFjDD72Uvk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, xd2LSSQnCDksaira0r.cs	High entropy of concatenated method names: 'q6ajANrWej', 'sw0jWud29y', 'KunrxTRIg1', 'cPhrmNmGBk', 'G1erYheLfF', 'H4lrbCVAQ4', 'djVrsujC9n', 'TGYrfaf0ES', 'KNgraLwK2s', 'Wq4r8A8GO5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, mcWHn487y1glHTYajC.cs	High entropy of concatenated method names: 'AQKTtEwdfP', 'N77TSpYyCx', 'bSkTjKCqxq', 'UgVTgrrsLK', 'uaWTeSgojI', 'gSgjEGQVbs', 'RCGj4DSGZM', 'AiGjO2eK7x', 'YCojNNO8Ko', 'kvbjvmmRyX'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, lxvgevrO2p7UITObwM.cs	High entropy of concatenated method names: 'XaoINRu3E1', 'M5MIMYTfk2', 'B0pJPGxndF', 'ptpJXMXEua', 'tjkIRUAfxe', 'SpVIoG0B2M', 'TJOIHJNsYZ', 'KyyI6gDH1G', 'CUYI03HdA8', 'na0IhsHegn'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, p18Ki8x7X9oUic0XE0.cs	High entropy of concatenated method names: 'v6OJQkepVG', 'e9IJS49Ige', 'YqPJrek7pj', 'gb4JjkxR8m', 'YG9JTa8Acc', 'kSEJg9mI9S', 'wDNJeIPDlR', 'A7dJ3neL8U', 'HcrJUw9mTi', 'vQZJdAR5L3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, YaIa4uHV693HHtPBfY.cs	High entropy of concatenated method names: 'ToString', 'NjBFRXxEq0', 'N8NF5TUrkw', 'xIMFxdyG2t', 'glDFmMjekr', 'vREFYuS4C6', 'xVdFbAtlJ2', 'bPGFsYaa2V', 'knfFfe3bsy', 'qfXFayeQ7Y'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, tI2pr9waypbr6FZsTC.cs	High entropy of concatenated method names: 'EcwiT8RtC', 'dfxydkXcD', 'wtuVZebXJ', 'C7oWV3uOL', 'q9yl6i5nU', 'zplGiKm3Q', 'mZkcZmPGvxEXLc6w0Q', 'NEJZnripPmBNMLfg4r', 'I8kJjQ2vY', 'pSt9H76Aj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, cMa5f2nkbwMSJ9jBMr.cs	High entropy of concatenated method names: 'Mr8gQOebUW', 'd1Igrg8pPq', 'KXrgT8M38p', 'QItTMpDnll', 'z2GTzPQC9D', 'BDtgP5rtNP', 'emjgXg30mN', 'v8xgDCPAPF', 'c1Ug7MyFmn', 'RkYgnBfRhs'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, kRMRZ7dipxXsDCZVAAj.cs	High entropy of concatenated method names: 'YshkZuoqxu', 'Ap3kurY9ta', 'RCGki4trOc', 'KX3kyQ0apV', 'AyOkA3G8vr', 'QqqkVVrNe1', 'CTSkW1MQnH', 'bbukpCBgFX', 'NuWklf2UtD', 'sKOkGTt91I'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, EMO7B1gN4QWasy0VHo.cs	High entropy of concatenated method names: 'tEAwpNEmuN', 'X80wlfgN8L', 'pwWwBdItrH', 'FHCw5BuWNh', 'RpSwmByXYc', 'hALwY3Tffv', 'CKZws6Kfcn', 'Dv4wfmcA8W', 'dhnw8RQ2ot', 'EBWwR9kUAq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, ESd1vpSgRUx49WWX2w.cs	High entropy of concatenated method names: 'SrdJBtGryw', 'kM3J5Mhrky', 'UVUJxYN7Ng', 'mDFJmIYjkH', 'tfmJ6FH4KX', 'wssJYZAavU', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, uQ3W5Ck4LyfS8CSIuG.cs	High entropy of concatenated method names: 'IgYgZFsGUU', 'Pfsgu03RnB', 'qyOgi59VY3', 'pvjgyePU9u', 'bxTgAg05Ki', 'y8igVqSHYi', 'x4RgWshfNQ', 'jXVgpRlvQE', 'RJNglFTlky', 'M8igGGxt76'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, dsn0tHzswp5nEwEdfH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XOJkws8Cjw', 'YJskCXZZni', 'Pf6kFDuYMQ', 'KU9kIk4mPl', 'eYNkJDBV0b', 'hUokk0OZwQ', 'Fkwk9fHcq9'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, zAxcuj6YFTwcHDobjA.cs	High entropy of concatenated method names: 'L9tkXnAfYW', 'FQ8k70nAts', 'eXeknMpEVn', 'mfYkQMOkKv', 'PXOkS42kew', 'AJjkjYdVxg', 'ChpkTe2uoV', 'AffJOdRMeh', 'CSMJNbUiiG', 'j3wJvnOT1j'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, zrWCPG3dLvJK3EgkMW.cs	High entropy of concatenated method names: 'XgxS67tmaY', 'oZlS0YVkry', 'MenSh9QvLQ', 'M7pSLAUGeA', 'VFmSEiOTSR', 'H4PS4rcEFO', 'FerSOHXrUK', 'p7ISNfGRBT', 'O6OSvgnof5', 'MkoSMlH5G6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, tFeiT0I3vQIcnwVjg1.cs	High entropy of concatenated method names: 'XO2rynXUjt', 'EXlrVjhDBa', 'IQirpcQnGv', 'k41rlkexWU', 'o3xrCkY0ZO', 'cTerFcD5YX', 'wvgrIHackT', 'cCSrJv4Juj', 'jqorklEgUW', 'O5Ar9Pc4lN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, zmYWwDZ8FykQ1x2sQs.cs	High entropy of concatenated method names: 'sWdIU71xka', 'eRVIdBpZKt', 'ToString', 'ACGIQX1xyj', 'XkAISEuLnx', 'W6TIrUXJ2v', 'CF3IjAWLBb', 'dIIITaXyPL', 'kkBIgNi8Rj', 'yP4IebslcS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, d6xQSBapuxcv9EN06s.cs	High entropy of concatenated method names: 'GK47thRnjx', 'C9d7QUoPPg', 'KGi7SIXdlR', 'nSQ7rjQmaF', 'FLp7j93riK', 'GWs7T0wim7', 'gvu7gwQ23l', 'iPb7e5q6cZ', 'xD473KCIiE', 'UYX7UlWEHS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, GIM2cLv1BMT29pRR3L.cs	High entropy of concatenated method names: 'ksmXgysZLR', 'f9oXeZQ0gN', 'THtXU3RK9t', 'G3UXdDJpRH', 'ukpXCj5rRg', 'taXXFLkBnm', 'e0v2hVSQRoJkCTXiCq', 'DxU6WEVZZgNrqnPYyZ', 'XeFXXsDLIa', 'StkX7prSEG'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, lOv9FRd2NPqO1PlBJQs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AU296TyiLY', 'aLZ90BOtxc', 'LWc9hgroNT', 'BYR9LfcXca', 'hXg9Emk8f3', 'llK94PagMR', 'xy39OtJpFF'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, PvRT5FjPqtsEToTf1L.cs	High entropy of concatenated method names: 'Dispose', 'JnLXvikI01', 'ROGD5l638m', 'VOcqqYiVvy', 'NgoXMR8YGd', 'a1OXzMgo8Q', 'ProcessDialogKey', 'sCODPDXkAQ', 'PZUDXfDhAG', 'HFjDD72Uvk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, xd2LSSQnCDksaira0r.cs	High entropy of concatenated method names: 'q6ajANrWej', 'sw0jWud29y', 'KunrxTRIg1', 'cPhrmNmGBk', 'G1erYheLfF', 'H4lrbCVAQ4', 'djVrsujC9n', 'TGYrfaf0ES', 'KNgraLwK2s', 'Wq4r8A8GO5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, mcWHn487y1glHTYajC.cs	High entropy of concatenated method names: 'AQKTtEwdfP', 'N77TSpYyCx', 'bSkTjKCqxq', 'UgVTgrrsLK', 'uaWTeSgojI', 'gSgjEGQVbs', 'RCGj4DSGZM', 'AiGjO2eK7x', 'YCojNNO8Ko', 'kvbjvmmRyX'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, lxvgevrO2p7UITObwM.cs	High entropy of concatenated method names: 'XaoINRu3E1', 'M5MIMYTfk2', 'B0pJPGxndF', 'ptpJXMXEua', 'tjkIRUAfxe', 'SpVIoG0B2M', 'TJOIHJNsYZ', 'KyyI6gDH1G', 'CUYI03HdA8', 'na0IhsHegn'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, p18Ki8x7X9oUic0XE0.cs	High entropy of concatenated method names: 'v6OJQkepVG', 'e9IJS49Ige', 'YqPJrek7pj', 'gb4JjkxR8m', 'YG9JTa8Acc', 'kSEJg9mI9S', 'wDNJeIPDlR', 'A7dJ3neL8U', 'HcrJUw9mTi', 'vQZJdAR5L3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, YaIa4uHV693HHtPBfY.cs	High entropy of concatenated method names: 'ToString', 'NjBFRXxEq0', 'N8NF5TUrkw', 'xIMFxdyG2t', 'glDFmMjekr', 'vREFYuS4C6', 'xVdFbAtlJ2', 'bPGFsYaa2V', 'knfFfe3bsy', 'qfXFayeQ7Y'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 4F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 6160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 7160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 7290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 8290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 8900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 9900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: A900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: B900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Window / User API: threadDelayed 1213			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Window / User API: threadDelayed 7318			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 5548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 408	Thread sleep count: 1213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 408	Thread sleep count: 7318 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99419s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98601s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -95891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -95766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -95547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -95438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -95313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe TID: 2704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99419	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98601	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96438	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96324	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 95891	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 95438	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 95313	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKLR'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3309198673.000000000301E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 5080, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069338415.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073329102.0000000005960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 5080, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b94cb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4c130d0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.4b16890.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3309198673.000000000301E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe PID: 5080, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.5960000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.3f19970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069338415.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073329102.0000000005960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	21%	ReversingLabs
SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0A	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307591782.000000000123F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe, 00000005.00000002.3309198673.0000000003026000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.224	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431282
Start date and time:	2024-04-24 19:23:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 85 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Simulations

Behavior and APIs

Time	Type	Description
19:24:02	API Interceptor	43x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
208.91.199.224	OKJ2402PRT000025.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse
	HDPESDR11OD5606METERS.exe	Get hash	malicious	AgentTesla	Browse
	HDPESDR1145-6METERS.exe	Get hash	malicious	AgentTesla	Browse
	TT copy of the first payment.exe	Get hash	malicious	AgentTesla	Browse
	rTDN001-180424_PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	1iO53raUh69l6nV.exe	Get hash	malicious	AgentTesla	Browse
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse
	Payment.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	Dhl Express Shipping Docs .pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	PR2403016.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	OKJ2402PRT000025.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	HDPESDR11OD5606METERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	HDPESDR1145-6METERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	TT copy of the first payment.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	rTDN001-180424_PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	1iO53raUh69l6nV.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	HmGUCvTQIacWu7Q.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	Dhl Express Shipping Docs .pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	PR2403016.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	OKJ2402PRT000025.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PO82100088.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Urgent PO 18-3081 Confirmation.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	72625413524.vbs	Get hash	malicious	XWorm	Browse	116.206.104.215
	HDPESDR11OD5606METERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.976685914003112
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
File size:	692'224 bytes
MD5:	d760dc358592d6717d4d6ca1ca0b4a41
SHA1:	c9cecc6110f3568c4b8d38c95f834b3bf7a7c0d8
SHA256:	87c5e257097fbb317f8f64250f0796574dfaf1e132e4819dc9c62d9d59c227dd
SHA512:	b32aad32df292055078aa2a5f98205da2fef69f183d8feaf2e79e2cc085430c80feb2560ebc733f6b2c5a994bfc5438071ddf40cd6c588ac5609a2676758290a
SSDEEP:	12288:jAlv312Z3HmMPKvWPRqYtuJu+OixvozCaRXrJ6hVxB+8i53tzL73EmlPTS2b:jAJ312ZHmMi+PoYb+rw7XFcfB+B5RLDH
TLSH:	FCE4237C22D9532AD97BBBFC24BAC1208365A0A15922D75C0E5673EF43FB7044D46637
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.................0.............f.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4aa366
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x83A41C42 [Tue Dec 27 03:47:14 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc esi
dec edi
push edx
xor al, 54h
xor eax, 42384738h
aaa
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], dh
cmp byte ptr [ecx+50h], dl
xor eax, 36374734h
pop edx
inc ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa311	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x61c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa8f48	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa838c	0xa8400	f7f8b46f551196f96138fc3d31127af1	False	0.9777175427191679	data	7.9824303162566155	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x61c	0x800	5ad9e0c4232e6c9f3c3c57898ff1a084	False	0.3369140625	data	3.4723738545851126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	5a024fe4d8fc67b74ae9ede688871da2	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xac090	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.42180616740088106
RT_MANIFEST	0xac42c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 19:24:04.923279047 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:05.104754925 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:05.112118959 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:05.634308100 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:05.635257006 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:05.816601038 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:05.816859007 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:05.817056894 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:05.998533010 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.005785942 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:06.187973022 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.188041925 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.188083887 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.188158989 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.188379049 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:06.188422918 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:06.369853973 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.406054974 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:06.588268042 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.603941917 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:06.785789013 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.786993980 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:06.974595070 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:06.975929976 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:07.196598053 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:09.128432989 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:09.128782988 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:09.309954882 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:09.313026905 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:09.313285112 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:09.513117075 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:09.523334980 CEST	49705	587	192.168.2.5	208.91.199.224
Apr 24, 2024 19:24:09.714706898 CEST	587	49705	208.91.199.224	192.168.2.5
Apr 24, 2024 19:24:09.714772940 CEST	49705	587	192.168.2.5	208.91.199.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 19:24:04.741357088 CEST	61046	53	192.168.2.5	1.1.1.1
Apr 24, 2024 19:24:04.899668932 CEST	53	61046	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 19:24:04.741357088 CEST	192.168.2.5	1.1.1.1	0xd364	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 19:24:04.899668932 CEST	1.1.1.1	192.168.2.5	0xd364	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Apr 24, 2024 19:24:04.899668932 CEST	1.1.1.1	192.168.2.5	0xd364	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Apr 24, 2024 19:24:04.899668932 CEST	1.1.1.1	192.168.2.5	0xd364	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 24, 2024 19:24:04.899668932 CEST	1.1.1.1	192.168.2.5	0xd364	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 19:24:05.634308100 CEST	587	49705	208.91.199.224	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 24, 2024 19:24:05.635257006 CEST	49705	587	192.168.2.5	208.91.199.224	EHLO 123716
Apr 24, 2024 19:24:05.816859007 CEST	587	49705	208.91.199.224	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 24, 2024 19:24:05.817056894 CEST	49705	587	192.168.2.5	208.91.199.224	STARTTLS
Apr 24, 2024 19:24:05.998533010 CEST	587	49705	208.91.199.224	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	19:24:01
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Imagebase:	0xb90000
File size:	692'224 bytes
MD5 hash:	D760DC358592D6717D4D6CA1CA0B4A41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2069338415.0000000003F19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2073329102.0000000005960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2069338415.0000000004907000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:24:02
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Imagebase:	0x320000
File size:	692'224 bytes
MD5 hash:	D760DC358592D6717D4D6CA1CA0B4A41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:24:02
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Imagebase:	0x230000
File size:	692'224 bytes
MD5 hash:	D760DC358592D6717D4D6CA1CA0B4A41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:24:02
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Imagebase:	0x50000
File size:	692'224 bytes
MD5 hash:	D760DC358592D6717D4D6CA1CA0B4A41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:24:02
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe"
Imagebase:	0xca0000
File size:	692'224 bytes
MD5 hash:	D760DC358592D6717D4D6CA1CA0B4A41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3309198673.000000000301E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3307195711.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3309198673.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	84
Total number of Limit Nodes:	4

Executed Functions

Function 060579C8 Relevance: 4.0, Strings: 3, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 06057BF6
Te]q, xrefs: 06057A31
)", xrefs: 06057A72

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$)"
API String ID: 0-1081650559
Opcode ID: a88e13c99fc5c2953b9bbb98625bef12092396d68a9a9e80105e78c947415bd6
Instruction ID: fe5e65a76044a4d98058e3e343215405aa68e4c31dde1a6a69df529e257e01a1
Opcode Fuzzy Hash: a88e13c99fc5c2953b9bbb98625bef12092396d68a9a9e80105e78c947415bd6
Instruction Fuzzy Hash: 9381C574E002098FDB48CFAAC984AEEFBB2FF89300F14952AD415AB354E7359945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06059B68 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tIh, xrefs: 06059F1D

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: tIh
API String ID: 0-443931868
Opcode ID: f46927bda1cbed4854c8f23e873dea736556471db72303458082adb32db976fe
Instruction ID: 2df05d1ec33e61bf3c410d9d5e99de11a1c749683c56bf8123090141cf77dc30
Opcode Fuzzy Hash: f46927bda1cbed4854c8f23e873dea736556471db72303458082adb32db976fe
Instruction Fuzzy Hash: 9FD12870E1424ADFEB48DFA9C5858AEFFB2FF88301B11D555D815AB214D734AA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0605CBC0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48152d9bb83dfb82eb84a0b87b206aab1a99a25632ea00b0151a9244effd7e4a
Instruction ID: 3d4f9c601e8bfe3f04213473cdd79a7ed80fc51f97d94e207b0a8b5df9a61c50
Opcode Fuzzy Hash: 48152d9bb83dfb82eb84a0b87b206aab1a99a25632ea00b0151a9244effd7e4a
Instruction Fuzzy Hash: 51910570E55209DFEB48CFA9D58099EFFB2FB89300F21A41AE416BB224D7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0605C8A8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2ea91cfadfb951c8026af1240b6cadff4f5271eb876e8dd4a07a1dc60ba374
Instruction ID: 0479ee14904acda5f356f31320abfb3028bbfc0f78830329d7526d5336491ba5
Opcode Fuzzy Hash: 6a2ea91cfadfb951c8026af1240b6cadff4f5271eb876e8dd4a07a1dc60ba374
Instruction Fuzzy Hash: 34810FB4E44229DFEB44CFA9C8849EEBBB2FB89300F10951AD812B7254D7349952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06058CB8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f754ab58f7dab7a57d906007d6b632fb6822e3dccd513e37e8b9511c5d52fd
Instruction ID: b599bfb100a886017f5c431397dd3dfd54190b67cdc014f515cfb8d89b2e56c7
Opcode Fuzzy Hash: d7f754ab58f7dab7a57d906007d6b632fb6822e3dccd513e37e8b9511c5d52fd
Instruction Fuzzy Hash: 2321E9B1E016588BEB58CF9BD8402DEFBF7AFC8310F14C16AD909A6258DB741A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D9D031 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D9D0BE
GetCurrentThread.KERNEL32 ref: 02D9D0FB
GetCurrentProcess.KERNEL32 ref: 02D9D138
GetCurrentThreadId.KERNEL32 ref: 02D9D191

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 189b2314b8f3db3eeb55e99de2ac06236c01ef901f61843790bc2a6b62b6a2f1
Instruction ID: 7d3ff427c3b70acc11149d2225512497f0b26a402d1d9dcb9a4bef99f8f6ce50
Opcode Fuzzy Hash: 189b2314b8f3db3eeb55e99de2ac06236c01ef901f61843790bc2a6b62b6a2f1
Instruction Fuzzy Hash: 645168B1A003498FDB54DFA9D648BAEBBF2FF89304F208459E109A7390D7345984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02D9D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D9D0BE
GetCurrentThread.KERNEL32 ref: 02D9D0FB
GetCurrentProcess.KERNEL32 ref: 02D9D138
GetCurrentThreadId.KERNEL32 ref: 02D9D191

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d144454244309e4740460a56a25310e19ced7e671f5b6c01d86029e430d98f28
Instruction ID: 16bc56233a07de6b0b3b27fef59a1e806df3ec11b9fa63cd84e4cc3fd3f4cd57
Opcode Fuzzy Hash: d144454244309e4740460a56a25310e19ced7e671f5b6c01d86029e430d98f28
Instruction Fuzzy Hash: CF5167B1A003498FDB54DFAAD548BAEBBF6FF88304F208459E109A7350D7345984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0605A1A8 Relevance: 2.6, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3H5, xrefs: 0605A246
3H5, xrefs: 0605A238

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 3H5$3H5
API String ID: 0-2752242361
Opcode ID: 8bd911ef7635f6cf9a4ffa1bd6503d790c352bf4227062cf7aa22cda98e5975b
Instruction ID: 4e0f87d16ecc2eb4c053784c82fb310c7af774e6e9c6df25b6342228369dcbe8
Opcode Fuzzy Hash: 8bd911ef7635f6cf9a4ffa1bd6503d790c352bf4227062cf7aa22cda98e5975b
Instruction Fuzzy Hash: 88212A70E14209DFDB88DFAAC5419AEFFF1FF89300F24C56A9908A7214E7349A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D9ADA8 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9AFFE

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76886676a5833165123e3ce80675f01e7dfeb0072fdc186712dff356ea1b3ed8
Instruction ID: bef1ea2bb0d109a953b085df25eb6d951318f25641f6c1013ce1b7a39a441f85
Opcode Fuzzy Hash: 76886676a5833165123e3ce80675f01e7dfeb0072fdc186712dff356ea1b3ed8
Instruction Fuzzy Hash: 8B813471A00B058FDB24DF29D55479ABBF5FF88304F108A2EE48A9BB50D735E949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D9590C Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D959C9

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d50ff863b0edf1ab128905f0e705bb33b028c3dbd14682c77fc6853f9aaaf80
Instruction ID: 84a2a801366f3a0a76bf3bdca7f3665cfeb82a2299087fc81e9cb8f92dd254ab
Opcode Fuzzy Hash: 9d50ff863b0edf1ab128905f0e705bb33b028c3dbd14682c77fc6853f9aaaf80
Instruction Fuzzy Hash: 605123B1C00719CEDB25DFAAD8847DEBBF5BF49304F60806AD009AB251C7756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D944B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D959C9

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2107ebd187239d436b18cc6ae48c6938e7c2f9383e1848a429a68fde77dd4efc
Instruction ID: 0694907830108c85d85d74d925ac13f3c977fa122ea4fe252cd2f018fc5f1ad7
Opcode Fuzzy Hash: 2107ebd187239d436b18cc6ae48c6938e7c2f9383e1848a429a68fde77dd4efc
Instruction Fuzzy Hash: A04112B0C0071DCFDB25DFA9C984B8EBBB5BF49304F20806AE409AB254DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D9D690 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9D717

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9733d814428654c9afcc92b7bbd46ff7144c764684e8a390fdbda22b9ee8ae46
Instruction ID: 00eb8e82dd7292c1434e07d1ac2d6e062d73a0948eb98d2417f54db1b0d0d5c3
Opcode Fuzzy Hash: 9733d814428654c9afcc92b7bbd46ff7144c764684e8a390fdbda22b9ee8ae46
Instruction Fuzzy Hash: 8521E4B59002489FDB10CF9AD584ADEFBF9FB48310F14841AE918A3310C379A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D9D689 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9D717

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 859ee3a8d9629071c6193f30fbc8ba32236a95d94321363f3095d47e32e928cc
Instruction ID: f042e20ca07b96788327f351669550910e065db298d48b42e04b16098926939b
Opcode Fuzzy Hash: 859ee3a8d9629071c6193f30fbc8ba32236a95d94321363f3095d47e32e928cc
Instruction Fuzzy Hash: FA21E0B59002489FDB10CFAAD584AEEBBF5FB48314F14841AE918B3310D378A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D9A130 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D9B079,00000800,00000000,00000000), ref: 02D9B28A

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b08cce651b7f7013bdf2dc6ec20fcd33165f7535f91d41623874750b1a71a8db
Instruction ID: cd56fc8e4b86ea86fecc599e4f0fdc323aa31d0061fb3d45d5f6ab1546ba3a7a
Opcode Fuzzy Hash: b08cce651b7f7013bdf2dc6ec20fcd33165f7535f91d41623874750b1a71a8db
Instruction Fuzzy Hash: E51112B69003089FDB10CF9AD444AAEFBF4EB48714F10842AE519A7310C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D9B219 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D9B079,00000800,00000000,00000000), ref: 02D9B28A

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 347a21a7648ded1295c6ff3afabc8f8027964e64f627f44aab650e106eb18727
Instruction ID: 254b238c4d04746e66ed4d3b25f1701ae4145271f05480945d65ba09c8bac0c4
Opcode Fuzzy Hash: 347a21a7648ded1295c6ff3afabc8f8027964e64f627f44aab650e106eb18727
Instruction Fuzzy Hash: 2E1112B69002498FDB10DF9AD448ADEFBF4EB49314F14846AE919A7310C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D9AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D9AFFE

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f3176eb4b79c5e93aae80628501c724349937be4c95e3e7fd869b7d29b0ecaa6
Instruction ID: 7eae6149f00a54fad998cade4d811334b5ef164ce295d8f8a7579ce8c51db9f5
Opcode Fuzzy Hash: f3176eb4b79c5e93aae80628501c724349937be4c95e3e7fd869b7d29b0ecaa6
Instruction Fuzzy Hash: 3A110FB6C003498FDB10CF9AD444A9EFBF4EF89218F20845AE528A7310C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0605C2F8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

O};5, xrefs: 0605C330

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: O};5
API String ID: 0-3558557551
Opcode ID: 8f613903af3e091e58f4e77c9d4d5a7403bfcb2edc1b80b22ed45f615a341b87
Instruction ID: 3959fad7596839d7a3b785cf67b9a298250173d922bc732722611564ea44aa24
Opcode Fuzzy Hash: 8f613903af3e091e58f4e77c9d4d5a7403bfcb2edc1b80b22ed45f615a341b87
Instruction Fuzzy Hash: 00415D70A25209DFDB88CF99D5858AFBFB1FB88300B61D899D445A7314DB30DA61CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0605DD88 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

8aq, xrefs: 0605DE03

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: f5fcb98453bfba95eccb31e139e3a8da2502d0bc18ddf1d2daf5ba708011110c
Instruction ID: 2da10b5fa35543babbed6afd264feabe26b9f4dbb4e728e3a1a7374f9977843b
Opcode Fuzzy Hash: f5fcb98453bfba95eccb31e139e3a8da2502d0bc18ddf1d2daf5ba708011110c
Instruction Fuzzy Hash: EC31E274E542099FDB88EFA8D8506EEBBB5FB98300F11802AD919A3384EB345945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0605E4F8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0605E563

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 938d0f4b83e7480b1c11926c2fb6cd28c62e15fe1ddaf8379a88d9bf06a5e669
Instruction ID: a602b17d6b9e60cd5b34d0527eb9d89b3d5e3a82a900bef70e273d7146a69c99
Opcode Fuzzy Hash: 938d0f4b83e7480b1c11926c2fb6cd28c62e15fe1ddaf8379a88d9bf06a5e669
Instruction Fuzzy Hash: DD113D31E0020A8BCB84EBA999115EFBAF6AFC8711B514179C945E7244EB318E02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0605C480 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265e21a666c48c5ea6fa779493d460fc3a59a50296c2b3ca335a1f9c2ef5189e
Instruction ID: fc5b8e91ca67ae367ba9edd08d2bde4d07339448dfd919f6aed3a2d6ad7751dc
Opcode Fuzzy Hash: 265e21a666c48c5ea6fa779493d460fc3a59a50296c2b3ca335a1f9c2ef5189e
Instruction Fuzzy Hash: 78416974E1020A9FDB48CFA9D8419EFBFB2EB89310F10952AE505AB354DB749A51CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 012FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062540361.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e2c7722c441e6d39fd1800ac388bedf0edd99fa2a6395384b7138cb1f1736e
Instruction ID: 6bd2389e56dacb831053a4530f0d97455b403de34183c7e4436a917b92bf06e3
Opcode Fuzzy Hash: 34e2c7722c441e6d39fd1800ac388bedf0edd99fa2a6395384b7138cb1f1736e
Instruction Fuzzy Hash: 99212175110208DFDB05DF98C9C0B66FF65FB88324F20C17DEA090B256C33AE406CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062607438.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38841aa9125a91c8885361437442797800a3ab207165e594f3e536c79940f240
Instruction ID: 5834b182cf35e20274c56716b10ae849f8888bcf65b04031660ee60871a532ec
Opcode Fuzzy Hash: 38841aa9125a91c8885361437442797800a3ab207165e594f3e536c79940f240
Instruction Fuzzy Hash: 6221F571504204EFDB06DFD8D5D0B26BBE9FB84328F20C56DE9094B296C33AD406CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0130D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062607438.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bd298f7831736aca6a8bab3d14f2af439ecedd9f27494f5f8f2be7ed0c3079
Instruction ID: fcd6caca7ab10806d1e78447e07dad03827d5fc1a2f09a4bd6d17325354add33
Opcode Fuzzy Hash: a5bd298f7831736aca6a8bab3d14f2af439ecedd9f27494f5f8f2be7ed0c3079
Instruction Fuzzy Hash: 81210371604204DFDB16DFA8D990B16BFE9FB84318F20C569D90E4B696C33AD406CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0605C220 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8465cf6aa1668300514828f2cea86aeb1b1b3a359b87cef51da8907ee5bb95
Instruction ID: 38dbd67c5a4608ec077ac2e27caa725fb123ad8c02773687ff63fabd5797258a
Opcode Fuzzy Hash: 2b8465cf6aa1668300514828f2cea86aeb1b1b3a359b87cef51da8907ee5bb95
Instruction Fuzzy Hash: C721B2B4A10508DFCB08DF9AE084889BFF1FF8C310F5280D4E4489B265EB71D9A5CB01

Uniqueness

Uniqueness Score: -1.00%

Function 012FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062540361.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 02c20eb2ed356d2717f8a4314d6a0333073dd269cad2358860e9cba239fc3b51
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 4D11CD76404284CFDB02CF44D5C4B56BF71FB84224F24C6A9DA090A656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062607438.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 323e282c38c75f407ae54dd756975b42929975316e35f185b673654b32afc2e8
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: A211D075504280CFDB12CF54D5D4B15FFA1FB44318F24C6A9D84D4B696C33AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0130D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062607438.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: c4ba207cce25e6039a4f47a83f6de1a2ab56c1e94c0ad9aaadc909c07029c7bf
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: D611BB75504280DFDB02CF98C5D4B15BFB1FB84228F24C6A9D8494B696C33AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012FD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062540361.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0974ae2a5f3e4ab5df55b83172c72142db6fb7522d17a9d4e436848b3c8d6cb
Instruction ID: 54f1e4b3457d22cc03e618302c93b3c27427871b57bb29d289b77612c6fa72b9
Opcode Fuzzy Hash: b0974ae2a5f3e4ab5df55b83172c72142db6fb7522d17a9d4e436848b3c8d6cb
Instruction Fuzzy Hash: D5012B710143889AF7259E99CD84B67FF9CEF45320F18C53EEF080E296C2799841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 060567B8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fabf0fc292db20bc7b6ff75c13bba5c8a61463abe39aec6ac85a5869236406
Instruction ID: 77a2a6b0f9c79186f50db3e39ddceafb02e6a411946f97218f5e892ca63038fd
Opcode Fuzzy Hash: 27fabf0fc292db20bc7b6ff75c13bba5c8a61463abe39aec6ac85a5869236406
Instruction Fuzzy Hash: AAF03C78D6820CDFDB84DFA8D4412AEBFB8EB48300F4084AA9818A3350E7314A44CF80

Uniqueness

Uniqueness Score: -1.00%

Function 012FD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062540361.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b55d5d2b16cc952335570533c60bf31433f9e2882121e030435089ed79f810
Instruction ID: 4cf36d75aaaf11ddc399541bfcb24c78ff40ea622b8e155e57dbc036b6804e85
Opcode Fuzzy Hash: a0b55d5d2b16cc952335570533c60bf31433f9e2882121e030435089ed79f810
Instruction Fuzzy Hash: 70F0C2710043849EF7158E1ACC88B62FF98EF41234F18C46EEE080E296C2799840CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0605A2A0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c1d7a15a7e8dec4c512f9932320d5564573e5d7e35b1e37dfe4cbaa98491c8
Instruction ID: ec205ed70bf514abddfc70ef9d6b5a336371b64499c0156a9ebb84c40104ce36
Opcode Fuzzy Hash: 02c1d7a15a7e8dec4c512f9932320d5564573e5d7e35b1e37dfe4cbaa98491c8
Instruction Fuzzy Hash: B601B278E00208AFCB48DFA9C589A9DBFF1AF48700F05C1A8E9089B365DA31E950DF40

Uniqueness

Uniqueness Score: -1.00%

Function 06056878 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67d3a884ad1a5654e65d287250224a448739cd6009cd9f37551b7869394b8da
Instruction ID: 7e1c09f89dd07f5969e2cd3cebe195be85a02ec0a434a8eb651ffe9979228762
Opcode Fuzzy Hash: d67d3a884ad1a5654e65d287250224a448739cd6009cd9f37551b7869394b8da
Instruction Fuzzy Hash: 44E0E578E55208EFCB84DFA8D4416ADFBF4EB89314F10C5A9D80893351DA72AA42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06056E80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af99ed1080d9008d5f309f2fad41fe382e2d0707f004abfa044b323cf2e2341d
Instruction ID: 4d7c7baace482f8f1bd4d4f5dd186f5ad213914997acfb7df82da290315b2a0d
Opcode Fuzzy Hash: af99ed1080d9008d5f309f2fad41fe382e2d0707f004abfa044b323cf2e2341d
Instruction Fuzzy Hash: C4C0127056530C9BCB54DABC980969B7EB8D745216F424054A808C3100EE7254A0C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06058250 Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

[[bb, xrefs: 060583B3
7Z/t, xrefs: 06058363
RWIK, xrefs: 060582BA

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 7Z/t$RWIK$[[bb
API String ID: 0-1157992699
Opcode ID: 6f0611d510c10f6df7ad13b9f040d2a90b7606a429d3e5411c65f690cde4c3d0
Instruction ID: 306e10ee2d4345c995197e66d688b1e6c75dd8f32854d3dbf99ef4542cce46a0
Opcode Fuzzy Hash: 6f0611d510c10f6df7ad13b9f040d2a90b7606a429d3e5411c65f690cde4c3d0
Instruction Fuzzy Hash: 72511770E0561ACFDB48CFAAC4415AFFFF2AF88301F25D46AD815A7254D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 06056EB8 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0, xrefs: 06056F2D

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 27f1f84cdf39f5622daacbf66a0d4616aff8fcfbfcdd63958858f04dd2620166
Instruction ID: 44ed5a79b80a3a2c8e87d3f285ad8760be8f46e9aeed7a2749a0fc7dad2367f4
Opcode Fuzzy Hash: 27f1f84cdf39f5622daacbf66a0d4616aff8fcfbfcdd63958858f04dd2620166
Instruction Fuzzy Hash: 7121F9B1E106188BEB58CFABD84079EFBF3AFC8200F14C07AD518A6214EB300A51CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02D9D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2063064112.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3be42dc509330ceb8608ac0590b51ab73ef6bd6b6d189613cb96998d88d402
Instruction ID: 18feabbfa1d176deb06e9c3758ae1f73998083f7bb16e87f416f24a6994d3959
Opcode Fuzzy Hash: 5d3be42dc509330ceb8608ac0590b51ab73ef6bd6b6d189613cb96998d88d402
Instruction Fuzzy Hash: AFA12636A002098FCF09DFA5C8449AEB7B2FF85304B25856AE805AB765DB31ED55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0605AA08 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab63252bf0d687a6bcca37200594cc9430fb4563bf5c1df059eddcfda66d0e73
Instruction ID: 0d1f2de5f1d1a2ee367dcaf8ef51ecbbcab5083ffe1845260d0ec2d77aa49c27
Opcode Fuzzy Hash: ab63252bf0d687a6bcca37200594cc9430fb4563bf5c1df059eddcfda66d0e73
Instruction Fuzzy Hash: 8E81BF74E55219CFCB44CFA9C58499EFBF1FF88210F15956AE819AB320D334AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06058718 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ad7b411564630161abd1ff90f30c949c5dae8e670fa8e8086020574fe8d883
Instruction ID: 972b2098ee3e69de636d4c769dc10d917e955ec968499b3febcd10edfd017bde
Opcode Fuzzy Hash: 59ad7b411564630161abd1ff90f30c949c5dae8e670fa8e8086020574fe8d883
Instruction Fuzzy Hash: 44712474E0121A9FDB44CF9AD5809EEFBB2FB88350F11C16AE815AB354D3349A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0605BE78 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee7196987b7d5f128d04ab2ca64b2215b11643b1b679c99857616ee865729c2
Instruction ID: 0bd26017aaef9c583f4cb0fdc213dffb341d0d1f2552ec32ca8ecd5cc156c163
Opcode Fuzzy Hash: cee7196987b7d5f128d04ab2ca64b2215b11643b1b679c99857616ee865729c2
Instruction Fuzzy Hash: 96612470995709DFEB48CF94F18619FBFB1FB89300F219489C68597144EF385A64CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0605B8C0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b5b9f4c928d66c5f81f99db3e4a87e46f834f5a115bc7f3c20b936b13a0e91
Instruction ID: d46dfb611d3f3f60f300995bb415569ac37c00118498aac85ea3eefed0ab52f4
Opcode Fuzzy Hash: d9b5b9f4c928d66c5f81f99db3e4a87e46f834f5a115bc7f3c20b936b13a0e91
Instruction Fuzzy Hash: 1561F3B0E4420A9FDB44DFAAC5915EEFFB2FF99300F15841AD825A7204D334AA81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0605D850 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054f7cd20793c42a53ceb2eba6c2c5043b7b935549e8a013c21e34c35182755a
Instruction ID: b7c4c5eccd2189fa262ab2f2f2746238d243fa74e561d64f2126e75ad8e54557
Opcode Fuzzy Hash: 054f7cd20793c42a53ceb2eba6c2c5043b7b935549e8a013c21e34c35182755a
Instruction Fuzzy Hash: A5513870E5620ACFDB48CFAAD4455AEBFF2FF88310F10942AE405A7294D7745A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 06050006 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606ca377a1f62c37e910653d2f5a801c6a19097e37eb8714b7d4088005e04167
Instruction ID: 9fbaea7a35ddc6f8b6b48ed1edc2384d8a1e8ed67dc418e586db5323330938a0
Opcode Fuzzy Hash: 606ca377a1f62c37e910653d2f5a801c6a19097e37eb8714b7d4088005e04167
Instruction Fuzzy Hash: 8A4191B2D056588FEB1DCF6B8C5068AFFF3AFC9200F09C1FA8848AB265DA3505558F11

Uniqueness

Uniqueness Score: -1.00%

Function 06050040 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2a2c17e4be2be8ec107b1c988034518ab1fd4728f07a121122e9fafd057922
Instruction ID: c2e2f2b5128bc0b47eea0692aae76e3cb99e9f9b29ee4bdeda0d8f46843d0a55
Opcode Fuzzy Hash: 3a2a2c17e4be2be8ec107b1c988034518ab1fd4728f07a121122e9fafd057922
Instruction Fuzzy Hash: BB415071D416188BEB5CCF6B8D4469EFAF3AFC8301F18C1BA881DAA214EB3505958F55

Uniqueness

Uniqueness Score: -1.00%

Function 0605BC30 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073654427.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6050000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca1bf19e35414623fcd91e9d5e6904f72e04df67b24f690e4d726a26235de1b
Instruction ID: 67a4f9a23263ea76354c01b1728c19a2394c8abee94334f65528442ada892c61
Opcode Fuzzy Hash: 2ca1bf19e35414623fcd91e9d5e6904f72e04df67b24f690e4d726a26235de1b
Instruction Fuzzy Hash: 2241D4B0D4020ADFDB48CFAAC4915EEFFF2BF88200F14D52AD815A7250D774AA418F98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exePID: 5080, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	4

Executed Functions

Function 01679C08 Relevance: 2.8, Instructions: 2817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20ea36795c105d56f82d4f6f20b65f7583661673afcce75db8eea71dff9b062
Instruction ID: 3379320521bf46b064c8d9b969b3a9395d51b4450ec3245b58a9799fc105f939
Opcode Fuzzy Hash: a20ea36795c105d56f82d4f6f20b65f7583661673afcce75db8eea71dff9b062
Instruction Fuzzy Hash: 7563F731D10B1A8ADB51EF68C8406A9F7B1FF99300F15D79AE05877221EB70AAD5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01679C01 Relevance: 2.7, Instructions: 2726COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7f676d88ee029bc808438b70221642de47e663fd5a11721641a82458d11409
Instruction ID: a0efa7aa3553446ad65359f8290de4a7872cfc5a59735af116faff6a91d46974
Opcode Fuzzy Hash: 8a7f676d88ee029bc808438b70221642de47e663fd5a11721641a82458d11409
Instruction Fuzzy Hash: 1353F731C10B1A8ADB51EF68C8406A9F7B1FF99300F15D79AE45877221EB70AAD5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01674A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40421abb37ecfbfb2a460e7081c0522b6870533ee86b19a09435382fa1d8d8d5
Instruction ID: 470340cda787ed9dfd3a92c3c100c0199b399daf20ce5e323b36399c9e347868
Opcode Fuzzy Hash: 40421abb37ecfbfb2a460e7081c0522b6870533ee86b19a09435382fa1d8d8d5
Instruction Fuzzy Hash: 0AB14C71E00209CFDF10CFA9CD897ADBBF2AF88754F148129D859A7394EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01673E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2603efcf0a6a3f84b464418c4ae89816c700e5342fc433edf75d236f8034784f
Instruction ID: c4574c19e9a2b98ae4f6a0afd74df9ee8851a038ee81943499387f5033cd0773
Opcode Fuzzy Hash: 2603efcf0a6a3f84b464418c4ae89816c700e5342fc433edf75d236f8034784f
Instruction Fuzzy Hash: DF914770E00209DFDB10DFADD9857AEBBF2BF88344F148129E415A7394EB749886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0656E33F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0656E212), ref: 0656E2FF

Strings

Te]q, xrefs: 0656E38A

Memory Dump Source

Source File: 00000005.00000002.3314635067.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6560000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: Te]q
API String ID: 1890195054-52440209
Opcode ID: 414bf85f87288426a6afc05eedeba005c0afee7405ff68da62e3eb9cfabe057f
Instruction ID: 7db215bb7e33d0cf441135a3feb486ee81b829cd7ea6bbe7357c57408cb13786
Opcode Fuzzy Hash: 414bf85f87288426a6afc05eedeba005c0afee7405ff68da62e3eb9cfabe057f
Instruction Fuzzy Hash: DB51DE35E112198BDF60DFA9C8407ADB7B2FF89311F20852AE409EB354DB74AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0656D374 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0656E212), ref: 0656E2FF

Memory Dump Source

Source File: 00000005.00000002.3314635067.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6560000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9d7adddee6403d18de66afd320d4e699fd87fbb9dc8778b00bb05d5a48ea3fbe
Instruction ID: 4fd4797aa75ba4cf27dc054a46077d6ab35521f183dad6dad1e61e698b931c9a
Opcode Fuzzy Hash: 9d7adddee6403d18de66afd320d4e699fd87fbb9dc8778b00bb05d5a48ea3fbe
Instruction Fuzzy Hash: 51112FB1C046599BCB10DF9AC844AAEFBF4BB08320F14812AE818A7240D378A940CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0656E296 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0656E212), ref: 0656E2FF

Memory Dump Source

Source File: 00000005.00000002.3314635067.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6560000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 29c923662e4bafbacfdafeecbc5f7ebc89422bc3ad06e19865c2695f7b73f629
Instruction ID: d9301a23893029886849fcbc80b114f196d7070e151e974ce22b7e182cfd62e5
Opcode Fuzzy Hash: 29c923662e4bafbacfdafeecbc5f7ebc89422bc3ad06e19865c2695f7b73f629
Instruction Fuzzy Hash: 201120B5C006599BCB10CFAAC5457EEFBF4BF08324F14812AE818B7240D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167F425 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0167F573

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 14c996d1592cd91e247ec4a856e518b768a07f2e88fa8a31cd2619a239852720
Instruction ID: 10cdc9b6794a3f9cfd87221133df54f679338d76776e2781633b810f4510686a
Opcode Fuzzy Hash: 14c996d1592cd91e247ec4a856e518b768a07f2e88fa8a31cd2619a239852720
Instruction Fuzzy Hash: BA31C0307002018FDB159F38C964A6E7BF2AF89250F1444B8D406DB35ADF74DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0167F438 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0167F573

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 4fba5cc2810292ee60ff0c487ef06d939110dca9c0df6e291a17906ca2292f6a
Instruction ID: 8239371aba8cd7fa8342dbd2a653c8a7a24360ae46321106caa19869da5f0972
Opcode Fuzzy Hash: 4fba5cc2810292ee60ff0c487ef06d939110dca9c0df6e291a17906ca2292f6a
Instruction Fuzzy Hash: DC31ED307002018FDB19AF38C954A6E7BE7AF88250F2444B8D406DB399DF34DD46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01676F78 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01676F93

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: e5f332aad1801c09fa9326fe8bf93cc212326f6ea3c773aac1ede0f3583e05ac
Instruction ID: f109a922777c684040142f9b9c2da3a4a229eb3c3a20a4ef20fab5b402d064cc
Opcode Fuzzy Hash: e5f332aad1801c09fa9326fe8bf93cc212326f6ea3c773aac1ede0f3583e05ac
Instruction Fuzzy Hash: 7031D474E102099FEF16CF69D84879EB7B2FF85310F10852AE406EB340EB759882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01676BB3 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01676BD7

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 55a79694c8be641090ac390e4c229da4a0ed77a39a85243e4d3c781a60b45a86
Instruction ID: f699e78c1a677388d09b640f3848c00fa4637efdf813260d95eb52cad66ae940
Opcode Fuzzy Hash: 55a79694c8be641090ac390e4c229da4a0ed77a39a85243e4d3c781a60b45a86
Instruction Fuzzy Hash: 2F01D4317041415FDB15AB7C94646AE3BF2EFC6610B1488AEC049CB755DE399C47C792

Uniqueness

Uniqueness Score: -1.00%

Function 0167F5C0 Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a9c693db58a2a8e35b72d79cdb99d2fbb17a13f341f308def3bfda65bc1b6f
Instruction ID: dadb3ae52f52eb5b52323ec0faf4807a99d40405f022b90b1fbe1665f60f6d27
Opcode Fuzzy Hash: c1a9c693db58a2a8e35b72d79cdb99d2fbb17a13f341f308def3bfda65bc1b6f
Instruction Fuzzy Hash: 04424A34A002058FDB20DF68C984AADBBF2FF49314F6585A9D429EB366DB35EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01677930 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696f86097374482141a9a0598bc49a45f73d4e9dcaadfd98a8a68d40f08690db
Instruction ID: 4eaa6cba7bad59c64ab576dbad00164507ddf5fae50444aff8c9afbe481d57a6
Opcode Fuzzy Hash: 696f86097374482141a9a0598bc49a45f73d4e9dcaadfd98a8a68d40f08690db
Instruction Fuzzy Hash: 0E124C307011069FCB1ABB38E998A2C76A7FB85225F548939E507CB359DF35DC4AC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01674A8D Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2551662ecc2dc29481da4dc6c16d9e6a50fc04a35fbc0877d4e5fc6a7fff8e
Instruction ID: 9bbfca288e3fa7fe56205b27903d7880592558b2c445b57674df3b98898d1499
Opcode Fuzzy Hash: 4b2551662ecc2dc29481da4dc6c16d9e6a50fc04a35fbc0877d4e5fc6a7fff8e
Instruction Fuzzy Hash: 23B14A71E00219CFDB10CFA8DD897EDBBF2AF88754F148129D859A7354EB749886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01679390 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f62d25a1fc16f27c19676ca93459e1569295ad3598b7c29475c1698b78dd75
Instruction ID: 917ccedd4d72fd5e1b9bd008235fd02d57a44215b5b4f0f70199f63abb2d5515
Opcode Fuzzy Hash: 39f62d25a1fc16f27c19676ca93459e1569295ad3598b7c29475c1698b78dd75
Instruction Fuzzy Hash: 67A15C34A001148FDB15DF68D994AADBBF2FF88324F248569E806E73A5DB75EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0167CFA8 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ae38ec157e57eaa1783aa40100d2360d9eb6687f751f13b27b0b713a933213
Instruction ID: 3edcb05e468326542a56362cec8f554ab091532b752bb1f1cddd71a7a91f6011
Opcode Fuzzy Hash: 28ae38ec157e57eaa1783aa40100d2360d9eb6687f751f13b27b0b713a933213
Instruction Fuzzy Hash: AC917E70B002169FDB15DF68C880A6EB7A6FF84314F248A69D419DB396DB35EC83C791

Uniqueness

Uniqueness Score: -1.00%

Function 0167938D Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f1f0f76cd72efaf2112b030643f7585237b93fb2a569818485e9a27616767f
Instruction ID: 89952bf328a25062fca6e9d0ac54abba770a1d06745c098ecf32e3c1ce8abfa6
Opcode Fuzzy Hash: a8f1f0f76cd72efaf2112b030643f7585237b93fb2a569818485e9a27616767f
Instruction Fuzzy Hash: 95915B34A001158FDB15DF68D984AADBBF2FF88325F248569E806E73A5DB35EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01673E74 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c247cc8336ef3a91a13a7d373fbd9472059aa3f05a9f70f97e762ab5f78ef9f
Instruction ID: 5690606f6abb2f22fa66ed3ad518314e898540065d6fbba8501ec0b06aff39e5
Opcode Fuzzy Hash: 5c247cc8336ef3a91a13a7d373fbd9472059aa3f05a9f70f97e762ab5f78ef9f
Instruction Fuzzy Hash: 4C914870E00209DFDB11DFACD9857AEBBF2BF88354F148129E415A7354EB749886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01674810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc36d91fb6acc2f9fff7159fcc565d88aced99c5273e52f588a2ab3264e0c47
Instruction ID: 6220d388b1fdcfdefeeb69cb87ac40823aa53d8fb692e1c2420ab48e8943a1a4
Opcode Fuzzy Hash: 3dc36d91fb6acc2f9fff7159fcc565d88aced99c5273e52f588a2ab3264e0c47
Instruction Fuzzy Hash: C9715B70E00249CFDB14DFADC88579EBBF2BF88314F148129E815A7354EB749842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01674804 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c7a91a136c80145ed2e0e8c2b370735c10a2159a038fce773f9f50c47d6cd9
Instruction ID: 79df13eaab33b504ef8af13e65d802e71dffe20efe1b11a7d8cc2973fa6c954f
Opcode Fuzzy Hash: b9c7a91a136c80145ed2e0e8c2b370735c10a2159a038fce773f9f50c47d6cd9
Instruction Fuzzy Hash: 8D714AB1D00249DFDB10DFADC9897DEBBF2AF88314F148129E815A7354EB749842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01679098 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553d95ac20da74e65ebba186d510014add5df35fc13a764e0f1b9146042ea72
Instruction ID: 7c17b0d05835574b676d10e2451e49de2e680cfe6dda436ee4ab451082aa6202
Opcode Fuzzy Hash: 9553d95ac20da74e65ebba186d510014add5df35fc13a764e0f1b9146042ea72
Instruction Fuzzy Hash: EA411531A042058BCB16CB78EC946DEBBB5EF85329F10C56EE805EB352DB319947CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016796F8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2af9be39de8ee92b319c970606d39f6629777052f7ca968c29d4892960af68c
Instruction ID: ade123aa65d1fcd005251033b79c0b44820251d5a585c070817441ef8218c139
Opcode Fuzzy Hash: e2af9be39de8ee92b319c970606d39f6629777052f7ca968c29d4892960af68c
Instruction Fuzzy Hash: 5B415074B0020A8BDF259EACD89177EB7B6EB85324F21482AD51AD7381D734DC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016798A8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbef247a9a75e4b861d1f885abba9247d14284ac6e2a8e6bda86e755d932b1f
Instruction ID: d404a64c7ef1bd8d123d705fcab0aadc52205cc2bc108ce03dfd4649b7e72fbb
Opcode Fuzzy Hash: 6cbef247a9a75e4b861d1f885abba9247d14284ac6e2a8e6bda86e755d932b1f
Instruction Fuzzy Hash: 6E515875A01205CFDB04DF69E884B99FBB6FF88324F14C16AE9099B396E770D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01676CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2f45086650247c47baa88ded826dfcc77f14e17a7ef8f4eeecfd973530eb77
Instruction ID: 6fef76d3c5c8b86d09d6b52e3685704d2be317330cfce5c3a495aa81395aed1e
Opcode Fuzzy Hash: bf2f45086650247c47baa88ded826dfcc77f14e17a7ef8f4eeecfd973530eb77
Instruction Fuzzy Hash: EB512471D106188FEB18CFA9C884B9DFBB1BF48314F148529E819BB391D774A845CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01671138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c8a89ef694a5b04454a7aaf90f0a32def50f3e29e965ae917a391eeda6eaae
Instruction ID: 300766176f6e5fc4f52ae772de24063be182116e0bade27fff15954dbb125d37
Opcode Fuzzy Hash: 05c8a89ef694a5b04454a7aaf90f0a32def50f3e29e965ae917a391eeda6eaae
Instruction Fuzzy Hash: D651DA3160324A9FCB2AFF38FDA8A483F67FB553043005979D1059B63DDB24692ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 016796F1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4254367cb55832f988cf0ced3dd07c0450282251729c5581d781b072ece0cdb
Instruction ID: 836a470af70ce83fc25826db2082561d823675124476f6ed3c6685af6547f977
Opcode Fuzzy Hash: b4254367cb55832f988cf0ced3dd07c0450282251729c5581d781b072ece0cdb
Instruction Fuzzy Hash: 80316175B002068BDB25DE78D98177EB7B6EB85324F214829C51AE7385D734EC428B82

Uniqueness

Uniqueness Score: -1.00%

Function 016726DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc31d8489c01565fe69f7b99e6e7262c465bf04a1d04712a24a83ba2c3fc93f5
Instruction ID: 769793c3ecfba8d96df5db5dd5a673a0eec0103e7e980f8aca47ca75868679fb
Opcode Fuzzy Hash: fc31d8489c01565fe69f7b99e6e7262c465bf04a1d04712a24a83ba2c3fc93f5
Instruction Fuzzy Hash: 5141E1B0D00348DFDB14DFA9C994ADEBFB5FF48314F148029E419AB254DB75994ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 01675098 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128e90fc11a000783a7c3d738ff3ffec5316647f969b7fcc989c22cd71ca7c34
Instruction ID: 2b74c69732addc8393d0e2d3a13e6bbedadca9e62546f60a45d547922f4d7edd
Opcode Fuzzy Hash: 128e90fc11a000783a7c3d738ff3ffec5316647f969b7fcc989c22cd71ca7c34
Instruction Fuzzy Hash: AF316E307012198FDB19EB78D9656AD77B6AF49206F2004BDC406AB7A4DF36CC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0167F2F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ade7e88d5edd156c6a03906c465e4098fd4ffd62b73dbfb42263214bf2d1fb
Instruction ID: 4681604c39129eec5b9c542a988af816b4bd2e396e36a2b12e72fe48ec6aa6c4
Opcode Fuzzy Hash: a9ade7e88d5edd156c6a03906c465e4098fd4ffd62b73dbfb42263214bf2d1fb
Instruction Fuzzy Hash: BE316030E10205DBCF15DF68D894A9EBBB2FF89310F108969E816E7754DB71AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016726E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9aa436b6263db52bdbd1f59f45cfee3eaf6a1db0897aaf26ef32eafd47ff6f
Instruction ID: b79c1775880b7c3dbe8b59ad53e3d7f5e38debd1053f9ad5316657587d3eb405
Opcode Fuzzy Hash: df9aa436b6263db52bdbd1f59f45cfee3eaf6a1db0897aaf26ef32eafd47ff6f
Instruction Fuzzy Hash: 3B41EEB0D003489FDB14DFA9C994ADEBFB5FF48310F148029E419AB254DB75A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016750A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b3dacd24f5d9b39d402b37b0a6af0fc862a2460cdf441b6e407c5cafa46e27
Instruction ID: 7caad5cb93cef907d9fa35bf817416abdda6b6cf56779a0da826f7885bdfa5c6
Opcode Fuzzy Hash: 19b3dacd24f5d9b39d402b37b0a6af0fc862a2460cdf441b6e407c5cafa46e27
Instruction Fuzzy Hash: 7C316C307012198FDB15EB78D9656AD77F6AF89206F2004BDC406AB3A4DF36DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01679271 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c2ff225aa6bf2ae2f432eb8eb90f36eb49fc2748236bb58b1cd91da3be646
Instruction ID: 3d4f9d982fb7b1be34a5ab815fa81bcdfed8aa7c53b78279475288456e9273ba
Opcode Fuzzy Hash: d14c2ff225aa6bf2ae2f432eb8eb90f36eb49fc2748236bb58b1cd91da3be646
Instruction Fuzzy Hash: 90318530E002099BDB05DFA8D89479EFBB2FF85324F10C629E815EB355D7719846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01679278 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b2c9e17b189ae4f2d53e18f3322bfa7845a2ad3e7685225521e23809aeccca
Instruction ID: 6c14c747d814221650cfb4ace0c94ff95db4b209b3925064000d01fb08790655
Opcode Fuzzy Hash: 88b2c9e17b189ae4f2d53e18f3322bfa7845a2ad3e7685225521e23809aeccca
Instruction Fuzzy Hash: 25218230E0020A9BDB05DFA8D894A9EFBB2FF85324F10C629E815EB355DB719846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01679A40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0c75a72d635e7f52ef31f3f155e081e2291b83e61bc9cd4b80f40f072c69fa
Instruction ID: 06facd591f917fca6305ac6dcc7f7c7574051cd8d0336838d372df001525a882
Opcode Fuzzy Hash: ac0c75a72d635e7f52ef31f3f155e081e2291b83e61bc9cd4b80f40f072c69fa
Instruction Fuzzy Hash: BB216D31B102058FDB14ABADCD54BAE7BF6AF88728F108169E505EB3A5DBB1DD408B50

Uniqueness

Uniqueness Score: -1.00%

Function 01679169 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0dcaf3533d2d88df67fd6cc5bf8454e399c68ee3af594b00326f58b91ceb9a
Instruction ID: afbd714c6c084dddc384b673dbf35f7172411f8b62f79a990aa393e09ae2a96a
Opcode Fuzzy Hash: fa0dcaf3533d2d88df67fd6cc5bf8454e399c68ee3af594b00326f58b91ceb9a
Instruction Fuzzy Hash: E2219071E102098BCB19DF68D8946DEF7F2AF89314F10C51AEC16BB341DB709946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01674F88 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd49890a402b15e0ca36aa4c5ab5ff77369fbb839af15d252ec50187323c92b
Instruction ID: cca2300c5835520d6607d3da9e15e92f8cb92edacec2f54ba7fe30e7659f9745
Opcode Fuzzy Hash: fcd49890a402b15e0ca36aa4c5ab5ff77369fbb839af15d252ec50187323c92b
Instruction Fuzzy Hash: E8212E34700245CFCB55DB78D959AADBBF2EF89304B1044A9E406EB365DB369D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0162D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308533429.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_162d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7268a3e5ba88f93557140a720dfc76f4fd33425a39c6b13321aca8203ca46dd9
Instruction ID: e6ad268c01de16379866db857c792000dde611d306fad9edd38f4aa0fc3b2480
Opcode Fuzzy Hash: 7268a3e5ba88f93557140a720dfc76f4fd33425a39c6b13321aca8203ca46dd9
Instruction Fuzzy Hash: 39210071504604DFCB15DF98D980B26BBA5FB88314F20C569D90A4A3A6C33AD807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 01679178 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a745d9062e5aec68056f7c32fb62b4c81b6442b2eb41717484abf64919c576f8
Instruction ID: f4d03f24151d4c4f2f8351514abe537d0870af86e96b19973c12317e82c2be6b
Opcode Fuzzy Hash: a745d9062e5aec68056f7c32fb62b4c81b6442b2eb41717484abf64919c576f8
Instruction Fuzzy Hash: 9D218430E1020A9BCB19DF68D85459EF7F2AF89314F10C51AEC15FB351DB70A946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01671888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a65e67c6b3a4bf6eec6a3c7b89bbc3c83ea82f88fd397e6e480a484b6625e75
Instruction ID: e81585bd502a84a02913ba41bdd7e923556366d28ae5b84316819780f98c62cf
Opcode Fuzzy Hash: 0a65e67c6b3a4bf6eec6a3c7b89bbc3c83ea82f88fd397e6e480a484b6625e75
Instruction Fuzzy Hash: 0F213030B00209CFDB15EB78C9156AE77F6AF4A205F10046ED506EB364DF368D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01679A3D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b41de7c4acac0b8d75246301da0609709bb17ca5df144f101110221207c135
Instruction ID: 381c5f499b00e6fe27abea07c6dd19713cff07ebe36326d050c192227642f9ac
Opcode Fuzzy Hash: 27b41de7c4acac0b8d75246301da0609709bb17ca5df144f101110221207c135
Instruction Fuzzy Hash: 08218E71B101058FEB14DB69CD55BAE7BF6AF88724F148069E505EB3A4DB71DD00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016716B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ba4be005ff62a2e09bbc0171791613617bdb0eb9a5c89b196b4f1a1c30dc1d
Instruction ID: 60c916745cb69e194d019c2e9dd9550473d07fb8d91421067cc3bb53761b5ac0
Opcode Fuzzy Hash: 59ba4be005ff62a2e09bbc0171791613617bdb0eb9a5c89b196b4f1a1c30dc1d
Instruction Fuzzy Hash: F9218E386401068BDF26EB38EC98B2D776AEB45314F104A37D10AC735ADB28D855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01674F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8948f48f91730e9ccf941d4dfe4fcaa874a18054595fbfceae55140bc65d41
Instruction ID: 1007855ad68b4eaa7258efe5e6f58daaccb1e1ad51f565a5bf874e6ed6e74e7a
Opcode Fuzzy Hash: ef8948f48f91730e9ccf941d4dfe4fcaa874a18054595fbfceae55140bc65d41
Instruction Fuzzy Hash: 10210C34700209CFDB15DB78D959A9DB7F2EF89304F1044A9E406EB364DB369D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01671391 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b562d54e8aa8aa53d6f60a89e7bce7f34036f19a100bc7fec891348b4f86a6
Instruction ID: 82816cd294a92d9d719a934d6ebf7e6812d4d21ce1755d1f4e4dcf15214ace96
Opcode Fuzzy Hash: e3b562d54e8aa8aa53d6f60a89e7bce7f34036f19a100bc7fec891348b4f86a6
Instruction Fuzzy Hash: D9118230A422018BEF36673DE85832D3666EB47325F50086FE51AC739ADB29C9D5C792

Uniqueness

Uniqueness Score: -1.00%

Function 01670848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0bbedcb12d38da4cf03c3c45f45f7a15b589f43925b94b248364d63b956b1b
Instruction ID: 14423ce38b8520ed5ca19e16b30066493b43d8467a60acb14c5351c45c5a063b
Opcode Fuzzy Hash: 7a0bbedcb12d38da4cf03c3c45f45f7a15b589f43925b94b248364d63b956b1b
Instruction Fuzzy Hash: 7911C430B002048FDF65AA7DDC1476E369AEB46220F214A7AF006CF396DB24D8858BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0162D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308533429.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_162d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: c4848c327c5b2e1f531ba6385cb8c366d0568bfd983758618a90776ca0ab4063
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: D111BB75504680CFDB12CF58D9C4B15BFA1FB88314F28C6AAD9494B766C33AD44ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 01671498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889097b7ab982578a0066e1d537a90ae29f4e340c8c1f5607cff2dc9db68d30d
Instruction ID: 0e1b471f03412f6296a1b4ec5f524ca356d7e67b417a461ed0c82d0790c1b7b8
Opcode Fuzzy Hash: 889097b7ab982578a0066e1d537a90ae29f4e340c8c1f5607cff2dc9db68d30d
Instruction Fuzzy Hash: 11015671A013159FDF65EFBC8C5019DBBF6EF4A210B14047AE805E7341E739D9428BA5

Uniqueness

Uniqueness Score: -1.00%

Function 016717CD Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfe80edf25341f5eb35f2ea586f591be3586843a60f6a5f5d5e76a1fb91b033
Instruction ID: 190b6105e25ebf4f7270c632e44a12fb866d2659f1dc4afa2f10a02a7d223a8e
Opcode Fuzzy Hash: fcfe80edf25341f5eb35f2ea586f591be3586843a60f6a5f5d5e76a1fb91b033
Instruction Fuzzy Hash: E301F975F40215DFDF10AB799C0826E7BE6EB88650F10483BD91AD3341EB34C9528BC1

Uniqueness

Uniqueness Score: -1.00%

Function 016798A1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb417a32000fb6411f7e39cf9c3b71a4c3518dc882cb68f7bfbb9b180618d0f8
Instruction ID: ad8e617c0ae5b49c18c020430c855e8ef5dc5231489c0c1af27adf60af1f4b1f
Opcode Fuzzy Hash: cb417a32000fb6411f7e39cf9c3b71a4c3518dc882cb68f7bfbb9b180618d0f8
Instruction Fuzzy Hash: 4E018031A001058BDB04EFA9EA8578ABBA6FF84321F58C664C8085B39AD774D906C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01677090 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088e729648e82cb7802e9481f65dab799ca5c7f907025cd0379693369b1139b2
Instruction ID: b9f4fa93651da53f66612bcc5f0709ccfca19a600b722d38b9c726f42768b327
Opcode Fuzzy Hash: 088e729648e82cb7802e9481f65dab799ca5c7f907025cd0379693369b1139b2
Instruction Fuzzy Hash: D7014B34B40108CFDB14DB74E99CB6C77B2EF88315F5444A9E50A8B3A1DB35AC52CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01678108 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a02ad19845e1f3c2e15465be2fcca0fbec9bd5c97f3d8720adb4f47992c3516
Instruction ID: 772c4d34914a6b0975b36b3b1121e7d1dbcfcb3366437d3c1713507211541d58
Opcode Fuzzy Hash: 9a02ad19845e1f3c2e15465be2fcca0fbec9bd5c97f3d8720adb4f47992c3516
Instruction Fuzzy Hash: 8D01A23054114A9FCB06FB74FA54A8D7FB6EF41314B1047A9C4059F2A9DF32AB0AC792

Uniqueness

Uniqueness Score: -1.00%

Function 01671524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11145e9e306c228a699e702020eab02026d801163c6f4750bdcba5fe639c256
Instruction ID: 17dbbd4c6f4d7b3b67fea72444a099437d9af61a7ed61f5e1d6cd4f1ef913392
Opcode Fuzzy Hash: a11145e9e306c228a699e702020eab02026d801163c6f4750bdcba5fe639c256
Instruction Fuzzy Hash: E8F0F072A042509BEB228BA88C901ACBFA1EEAA12171C00EBD802DB351D729D542CB21

Uniqueness

Uniqueness Score: -1.00%

Function 01678118 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3308782893.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1670000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74858c481aabd746d29e98cab541c4f5684670c2b9c1549441b59ec566a0ab4
Instruction ID: efb753c053a3dfe5c1bfb9a4b7f595dc02689babdbea14ae12859c1ce66bf5e5
Opcode Fuzzy Hash: f74858c481aabd746d29e98cab541c4f5684670c2b9c1549441b59ec566a0ab4
Instruction Fuzzy Hash: 96F01D3490110E9FCB05FFB4FA54A9D7BBAEF40304F5046B9C1059B258DB316B19CB92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.29608.5434.exe

Function 060579C8 Relevance: 4.0, Strings: 3, Instructions: 201
COMMON

Function 06059B68 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Function 02D9D031 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 02D9D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0605A1A8 Relevance: 2.6, Strings: 2, Instructions: 63
COMMON

Function 02D9ADA8 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Function 02D9590C Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Function 02D944B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02D9D690 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02D9D689 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02D9A130 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 02D9B219 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 02D9AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre