Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Analysis ID:	1632068
MD5:	a9d3902f3eaae2e0325d0de835e34c0d
SHA1:	721c1efb7a89491fb9c0596ab449becceb384b0e
SHA256:	de9b08a05ea2bbe00ee85225b98ab2c992aa74e1042c678943bb6d786ba35e74
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Submitted sample is a known malware sample

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" MD5: A9D3902F3EAAE2E0325D0DE835E34C0D)

SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp (PID: 7056 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20410,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" MD5: 64ED0A358C4A5D732D5DC267554B3B55)

SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe (PID: 5832 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT MD5: A9D3902F3EAAE2E0325D0DE835E34C0D)

SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp (PID: 3656 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20414,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT MD5: 64ED0A358C4A5D732D5DC267554B3B55)

AutoIt3.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe" medusa.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

jsc.exe (PID: 3356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

AutoIt3.exe (PID: 4676 cmdline: "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)

jsc.exe (PID: 6620 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

AutoIt3.exe (PID: 2672 cmdline: "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)

jsc.exe (PID: 5728 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

cleanup

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe, ProcessId: 6840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\medusa

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20410,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20410,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, ParentProcessId: 6836, ParentProcessName: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20410,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" , ProcessId: 7056, ProcessName: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Virustotal: Detection: 31%			Perma Link
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	ReversingLabs: Detection: 31%

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdbSHA2567 source: is-5130L.tmp.3.dr
Source:	Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdb source: is-5130L.tmp.3.dr
Source:	Binary string: E:\bslave-ngproducts\builddir\build\mc_adobe_sdk_dbginfo_win64_x64_release\mc_dec_aac.pdb source: mc_dec_aac.dll.4.dr
Source:	Binary string: c:\cvs\c5\Win32\dll_output\release\cryptopp.pdb source: is-EQ2GK.tmp.3.dr
Source:	Binary string: output file name with .pdb extension) source: Microsoft.CodeAnalysis.CSharp.resources.dll.4.dr
Source:	Binary string: c:\cvs\c5\Win32\dll_output\release\cryptopp.pdbXP source: is-EQ2GK.tmp.3.dr
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: is-EQ2GK.tmp.3.dr	String found in binary or memory: http://ocsp.certum.pl0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: is-EQ2GK.tmp.3.dr	String found in binary or memory: http://time.certum.pl0
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AutoIt3.exe, 00000004.00000000.909441908.0000000000F55000.00000002.00000001.01000000.0000000E.sdmp, AutoIt3.exe, 00000006.00000000.1040420967.0000000000D75000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000007.00000000.1128674349.0000000000D75000.00000002.00000001.01000000.0000000F.sdmp, is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr, is-EQ2GK.tmp.3.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: divx_ssleay32.dll.4.dr	String found in binary or memory: http://www.openssl.org/V
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://www.symauth.com/cps09
Source: mc_dec_aac.dll.4.dr	String found in binary or memory: http://www.symauth.com/rpa04
Source: is-5130L.tmp.3.dr	String found in binary or memory: https://aka.ms/gcm/rename
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://jrsoftware.org/
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://jrsoftware.org0
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: https://winscp.net/
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: is-EQ2GK.tmp.3.dr	String found in binary or memory: https://www.certum.pl/repository.
Source: AutoIt3.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.0.dr, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.2.dr	String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.0.dr, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.2.dr	String found in binary or memory: https://www.remobjects.com/ps

System Summary

Submitted sample is a known malware sample

Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped file: MD5: 9a7234078559093e06c9d32148ed95a3 Family: TRITON Alias: TEMP.Veles, TRISIS, XENOTIME, HATMAN, TRITON Description: TRITON, named by FireEye, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. It is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.When the attacker gained remote access to an SIS engineering workstation, the TRITON attack framework was deployed to reprogram the SIS controllers, to modify application memory on SIS controllers that could lead to a failed validation check. References: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.htmlhttps://dragos.com/adversaries.htmlhttps://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped file: MD5: 9a7234078559093e06c9d32148ed95a3 Family: TRITON Alias: TEMP.Veles, TRISIS, XENOTIME, HATMAN, TRITON Description: TRITON, named by FireEye, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. It is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.When the attacker gained remote access to an SIS engineering workstation, the TRITON attack framework was deployed to reprogram the SIS controllers, to modify application memory on SIS controllers that could lead to a failed validation check. References: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.htmlhttps://dragos.com/adversaries.htmlhttps://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Dropped file: MD5: 9a7234078559093e06c9d32148ed95a3 Family: TRITON Alias: TEMP.Veles, TRISIS, XENOTIME, HATMAN, TRITON Description: TRITON, named by FireEye, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. It is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.When the attacker gained remote access to an SIS engineering workstation, the TRITON attack framework was deployed to reprogram the SIS controllers, to modify application memory on SIS controllers that could lead to a failed validation check. References: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.htmlhttps://dragos.com/adversaries.htmlhttps://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon

Source: Joe Sandbox View

Dropped File: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: is-98HV9.tmp.3.dr	Static PE information: Number of sections : 11 > 10
Source: is-T190N.tmp.3.dr	Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, 00000000.00000003.889925753.000000007FB70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, 00000000.00000000.889015133.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, 00000000.00000003.900910740.00000000022E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, 00000000.00000003.900910740.000000000222A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, 00000002.00000003.915750053.00000000021EA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, 00000002.00000003.915750053.00000000022A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Binary or memory string: OriginalFileName vs SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal52.winEXE@17/40@0/0

Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Virustotal: Detection: 31%
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	ReversingLabs: Detection: 31%

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: /LOADINF="filename"
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	String found in binary or memory: /LoadInf=

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp "C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20410,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process created: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp "C:\Users\user~1\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20414,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe" medusa.a3x
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x"
Source: unknown	Process created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x"
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp "C:\Users\user~1\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20410,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process created: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp "C:\Users\user~1\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp" /SL5="$20414,8814724,780800,C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe" medusa.a3x	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Static file information: File size 11944851 > 1048576

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdbSHA2567 source: is-5130L.tmp.3.dr
Source:	Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdb source: is-5130L.tmp.3.dr
Source:	Binary string: E:\bslave-ngproducts\builddir\build\mc_adobe_sdk_dbginfo_win64_x64_release\mc_dec_aac.pdb source: mc_dec_aac.dll.4.dr
Source:	Binary string: c:\cvs\c5\Win32\dll_output\release\cryptopp.pdb source: is-EQ2GK.tmp.3.dr
Source:	Binary string: output file name with .pdb extension) source: Microsoft.CodeAnalysis.CSharp.resources.dll.4.dr
Source:	Binary string: c:\cvs\c5\Win32\dll_output\release\cryptopp.pdbXP source: is-EQ2GK.tmp.3.dr
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr

Source: is-AN23S.tmp.3.dr

Static PE information: 0xF54EB960 [Tue Jun 1 23:53:04 2100 UTC]

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Static PE information: section name: .didata
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.0.dr	Static PE information: section name: .didata
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.2.dr	Static PE information: section name: .didata
Source: is-QQGJR.tmp.3.dr	Static PE information: section name: text
Source: is-98HV9.tmp.3.dr	Static PE information: section name: .xdata
Source: is-T190N.tmp.3.dr	Static PE information: section name: .xdata
Source: is-KV2V7.tmp.3.dr	Static PE information: section name: .xdata
Source: mc_dec_aac.dll.4.dr	Static PE information: section name: text

Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\mc_dec_aac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	File created: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-5130L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-98HV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_aac.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-KV2V7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-BQT49.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-6HS5H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ACEOLEDB.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-QQGJR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\divx_ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\git-credential-manager-core.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\wish.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	File created: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\divx_ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\CryptoPP530Fips32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\bzip2recover.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\CryptoPP530Fips32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-AN23S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-T190N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.CodeAnalysis.CSharp.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-AAOF1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\Microsoft.CodeAnalysis.CSharp.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-EQ2GK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\ACEOLEDB.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	File created: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\x86_64-w64-mingw32-agrep.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce medusa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce medusa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce medusa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce medusa	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\mc_dec_aac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-5130L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-98HV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Dropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_aac.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-KV2V7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-BQT49.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-6HS5H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Dropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ACEOLEDB.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-QQGJR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\git-credential-manager-core.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\divx_ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\wish.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Dropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\divx_ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\CryptoPP530Fips32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Dropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\CryptoPP530Fips32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\bzip2recover.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-AN23S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-T190N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Dropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.CodeAnalysis.CSharp.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\Microsoft.CodeAnalysis.CSharp.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-EQ2GK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\ACEOLEDB.DLL (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\x86_64-w64-mingw32-agrep.exe (copy)	Jump to dropped file

Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000002.899932886.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000002.899932886.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D00000 protect: page execute and read and write	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 700000 protect: page execute and read and write	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 700000 protect: page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior

Source: AutoIt3.exe, 00000004.00000000.909338469.0000000000F41000.00000002.00000001.01000000.0000000E.sdmp, AutoIt3.exe, 00000006.00000000.1040351772.0000000000D61000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000007.00000000.1128563263.0000000000D61000.00000002.00000001.01000000.0000000F.sdmp

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	112 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	112 Process Injection	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Timestomp	Security Account Manager	2 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	32%	Virustotal		Browse
SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	32%	ReversingLabs	Win32.Spyware.Lummastealer

Dropped Files

Source	Detection	Scanner
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ACEOLEDB.DLL	0%	ReversingLabs
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	0%	ReversingLabs
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\CryptoPP530Fips32.dll	0%	ReversingLabs
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.CodeAnalysis.CSharp.resources.dll	0%	ReversingLabs
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\divx_ssleay32.dll	0%	ReversingLabs
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_aac.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JBP35.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OQU0L.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\ACEOLEDB.DLL (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\CryptoPP530Fips32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\Microsoft.CodeAnalysis.CSharp.resources.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\bzip2recover.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\git-credential-manager-core.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-5130L.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-98HV9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-KV2V7.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\is-T190N.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\wish.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\bin\x86_64-w64-mingw32-agrep.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\divx_ssleay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-6HS5H.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-AAOF1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-AN23S.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-BQT49.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-EQ2GK.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\is-QQGJR.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\mc_dec_aac.dll (copy)	0%	ReversingLabs

Source	Detection	Scanner	Label
http://time.certum.pl0	0%	Avira URL Cloud	safe
https://www.certum.pl/repository.	0%	Avira URL Cloud	safe
http://ocsp.certum.pl0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	false		high
http://repository.certum.pl/ctnca.cer09	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
https://aka.ms/gcm/rename	is-5130L.tmp.3.dr	false		high
https://www.certum.pl/repository.	is-EQ2GK.tmp.3.dr	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cscasha2.cer0	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://ocsp.sectigo.com0	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://www.symauth.com/cps09	mc_dec_aac.dll.4.dr	false		high
http://crl.certum.pl/ctnca.crl0k	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://www.openssl.org/V	divx_ssleay32.dll.4.dr	false		high
http://ocsp.thawte.com0	mc_dec_aac.dll.4.dr	false		high
http://time.certum.pl0	is-EQ2GK.tmp.3.dr	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/X	AutoIt3.exe, 00000004.00000000.909441908.0000000000F55000.00000002.00000001.01000000.0000000E.sdmp, AutoIt3.exe, 00000006.00000000.1040420967.0000000000D75000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000007.00000000.1128674349.0000000000D75000.00000002.00000001.01000000.0000000F.sdmp, is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	false		high
http://ocsp.certum.pl0	is-EQ2GK.tmp.3.dr	false	Avira URL Cloud: safe	unknown
https://winscp.net/	SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe	false		high
https://www.certum.pl/CPS0	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
https://www.autoitscript.com/autoit3/	is-AAOF1.tmp.3.dr, AutoIt3.exe.4.dr	false		high
http://www.symauth.com/cps0(	mc_dec_aac.dll.4.dr	false		high
http://crl.certum.pl/cscasha2.crl0q	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://cscasha2.ocsp-certum.com04	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	mc_dec_aac.dll.4.dr	false		high
https://www.remobjects.com/ps	SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.0.dr, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.2.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://subca.ocsp-certum.com01	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
https://www.innosetup.com/	SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.0.dr, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp.2.dr	false		high
https://sectigo.com/CPS0D	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
https://jrsoftware.org0	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
https://jrsoftware.org/	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		high
http://www.symauth.com/rpa04	mc_dec_aac.dll.4.dr	false		high
http://www.certum.pl/CPS0	SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000001.00000003.896306995.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp, 00000003.00000003.911496302.0000000002463000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr, is-EQ2GK.tmp.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632068
Start date and time:	2025-03-07 19:09:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
Detection:	MAL
Classification:	mal52.winEXE@17/40@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): sppsvc.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:10:18	API Interceptor	1x Sleep call for process: SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp modified
19:10:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce medusa "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x"
19:10:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce medusa "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe	SecuriteInfo.com.Win32.Malware-gen.14270.13618.exe	Get hash	malicious	Unknown	Browse
	icernWzgk6.exe	Get hash	malicious	AsyncRAT	Browse
	UI19UVUDOTXM3078IUTTFRFNK.exe	Get hash	malicious	Unknown	Browse
	Exploit Locator.exe	Get hash	malicious	PureCrypter	Browse
	Exploit Locator.exe	Get hash	malicious	PureCrypter	Browse
	Ja49WogyXz.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse
	Ja49WogyXz.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse
	epg7xcMIYc.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse
	w9OR6Y9uhh.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse

Created / dropped Files

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ACEOLEDB.DLL

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	536992
Entropy (8bit):	5.876402976457912
Encrypted:	false
SSDEEP:	6144:tsbT523hNg/FOmdXguFfLQRxeEGPtK4GMFOhtfmSDMuy6nO1qXbJGtA9ct:tsbT5EGFSRxf47OLwIG8ct
MD5:	BD5A7CAA9B91B6D67C5AC1FF73887D49
SHA1:	76DDAAB33CFCDA230C799E5056E74E7D62FC62E8
SHA-256:	82699F083305D52B462D809B4B8A6C31D239BAE2368A1A2C86B1E224EB78D1AF
SHA-512:	B071248D254450BC657CB77B06D3C9A442B82642FAC417CF979D8356EDD807B86A9657BF3E11329640B1F4D4143B44B243311B6419B7E49635D2F04C8F52E371
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........zX-..6~..6~..6~..[~..6~.c.~..6~.c.~..6~..M~..6~..7~Q.6~.T.~..6~.I.~..6~.c.~..6~.c.~..6~.c.~..6~.c.~..6~.c.~..6~Rich..6~........................PE..d......K.........." .....^...........Y.......................................@............@.........................................h................ ..........`K...........0.......l..8............................................p...............................text...E].......^.................. ..`.rdata.......p.......b..............@..@.data...H6.......2..................@....pdata..`K.......L..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Malware-gen.14270.13618.exe, Detection: malicious, Browse Filename: icernWzgk6.exe, Detection: malicious, Browse Filename: UI19UVUDOTXM3078IUTTFRFNK.exe, Detection: malicious, Browse Filename: Exploit Locator.exe, Detection: malicious, Browse Filename: Exploit Locator.exe, Detection: malicious, Browse Filename: Ja49WogyXz.exe, Detection: malicious, Browse Filename: Ja49WogyXz.exe, Detection: malicious, Browse Filename: setup_patched.exe, Detection: malicious, Browse Filename: epg7xcMIYc.exe, Detection: malicious, Browse Filename: w9OR6Y9uhh.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\CryptoPP530Fips32.dll

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1277496
Entropy (8bit):	6.693734264633346
Encrypted:	false
SSDEEP:	24576:4pPfSOTjS+katpqQTutqG3kGP7NS0LdbiAJ:4VnTu+kNQqqG3kIE0Ldb3J
MD5:	9A7234078559093E06C9D32148ED95A3
SHA1:	40361DAD15B9B5AE2757A21D1CE6A61C3C37E891
SHA-256:	32F5D0A454C26E8AA6F4CAD58F3782337CC97CFE2305BBFE564437E5F0D51BBC
SHA-512:	9A2C3761D799999A691CD605F11C4014F604AFA9A46B3B4C9999EEF177F0E703CA2ED52C22824CBA613559CE37BD134C566D54A4E51141828816B02A4F3DA05B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B"..C...C...C..!...'C..!...?C..!...C...L...C...C..fC..!...7C..!....C..!....C..!....C..Rich.C..........PE..L......D...........!................J..............B...................................................................../......<....p...............p..8.......,.......................................@...............\............................text...=........................... ..`.rdata..7...........................@..@.data........P.......P..............@....rsrc........p.......P..............@..@.reloc...............`..............@..B................................................................................................................................................................................................................................................................................................................................

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.CodeAnalysis.CSharp.resources.dll

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	578336
Entropy (8bit):	5.238086168281471
Encrypted:	false
SSDEEP:	12288:0Fpz+bmpYc3lyhLQJP8Vo7xphnxQBxou+68i0y1gJfGVF6jeF:
MD5:	A3FBE1A31E4D555DAA87D89BBAD7BB2F
SHA1:	92739B15EAC585149FBFBCCB5F04AB7C761A04F2
SHA-256:	2272EE9B4DF7B6E62792F9D017824954C8FF790255760BE1A3D51185B32ECF46
SHA-512:	351E5C915C3BE7783E42D999DDEAFD867825446381AF8A94D218E1D7A97CE33917A2BE8E2E333CDCCB3D724B94559E457E6727E09CDAE8FE4903095AA5C36670
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.N..........." ..0.............R.... ........... ..............................x.....@.....................................O....................... ).......................................................... ............... ..H............text...X.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................4.......H.......P ..d............%......d.......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................f.....f.....S...........;.....;...A.;...^.;.....;...*.;.................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M.......................#.....+.....3.@...;.T...C.....K.......................................................

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\divx_ssleay32.dll

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	267264
Entropy (8bit):	6.076714137468418
Encrypted:	false
SSDEEP:	6144:KME1sI7pQob6fJfhs893tCFZ3YO75jKHF0UCQmTanMoXOCJ8YC6zRyDinOS/JbRN:KMMsI7pdAths8930FZYQjKHaUCQmTan5
MD5:	62BFA08279FEDBD789C16890DA33250F
SHA1:	A4588A6BC47C668A3032DB0E67D934B79E416606
SHA-256:	F16ACDFA1A2D278BA7DE196FF9769DA71E01747E93600DF166C376C515B7225C
SHA-512:	3A04360B44FB2DBEE8CC684F0FD7E765AE0556CE81FAADDBEEA4E1C75B7A466FDA3382B530F952C219F697B8242244200F957E7752D78E973C85F287AFC9627A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$...J...J...J./1..J..t$..J..t7..J..t1..J...K..J..t'...J..t0...J..t6...J..t2...J.Rich..J.........................PE..d....T?L.........." .........4...............................................P......*...................................................F.......P....0..........8............@..T....................................................................................text...>........................... ..`.rdata..F...........................@..@.data....E.......@..................@....pdata..8........ ..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_aac.dll

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	515272
Entropy (8bit):	7.005589549281488
Encrypted:	false
SSDEEP:	6144:K5NQiy4hbNqpbAuoa0MFsfFFWeRT7DwRgVpNtg+Oy+NJfOMBfcQ85VKo2qoT:K5NzhGstFWcW+g9OyGKoboT
MD5:	5C48918247C4F18AFF250A02430174C6
SHA1:	FDB3B1ECFE3BA516410143E32E20EC99C5D96F67
SHA-256:	3B3BE931FF4C9D587FC4D6FF91FF6EA978F21D032A22F1885AA357907DA60D75
SHA-512:	632502A628313A41FE765831C6AAE9CF23D8E73C4A1D756689FE6B2F5A694DC361FCC3721C3C903AC89E00E6BC1708AE0A3F95785D58C40B92FE2A434E00D550
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:...i...i...i..Oi...i...i...i.@Bi...i.@vi8..i.@wi...i.@Gi...i.@Fi...i.@Ai...iRich...i........................PE..d.....OS.........." .................).......................................P......S/....@.................................................D...(.... ...........!...........0.......2...............................................0..@............................text...f........................... ..`.rdata..^....0......................@..@.data....b.......>..................@....pdata...!......."..................@..@text.................P..............@.. data.....A.......B...h..............@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	data
Category:	dropped
Size (bytes):	991944
Entropy (8bit):	7.999823261825745
Encrypted:	true
SSDEEP:	24576:A5iqxSCuW5F+rioT6chTYiyP2qOpdtELf:ExL7bMiXwTmIdtEj
MD5:	9AE574FAAA8B20E4381AA78577827034
SHA1:	F1AA4447DC28541D80DFDC48C7E292670DC7218F
SHA-256:	C6C5692B26F80273F487C3966CAEB2114BA6D9020267ABC3895EAF9A4B7BFAF3
SHA-512:	82A35CD6ACFC68321026C39F417583EEEABEBBC89E632400EB858B3F8573A23E992B54897A28C0E36B9C15D9AB9056C192F4FC4F795C0A5C39A608ADDA9FC236
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o..K.,.qn...D.................W.......W...kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .o*z.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..-..f.....'......b~...H...X.:.q,......\d........).m.....n].o..5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.D.U.u..\y>).1A?..2..a....'s......'....lbU.B..\..?N..~...Y..p.....2v...k..?..C.~..Q..K...p+.D:.....'...%.S.B~]......t.XHB..?..l.h....r.m^p...yY....TN..o.q.l.I.6t.fv.....+\|nR.i..5].xM..Jr..o1......J..rOL.\|.".c........K.o.C....Km.o.4..V.......g..j.p....X .1r..e'..DA.M]..'..c...z..3..S$....l.^.8.Pq.Z.i0.P...\.h.~]=....P....A....Z...M..%...yH...0.&7......ew..=..X....m..V.HS.......r.4.).8..SVsr..@.?@A...MA.p.`D.

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.adt

Download File

Process:	C:\Users\user\AppData\Roaming\{4FBB4D32-AE65-44FF-892B-259803FF796B}\AutoIt3.exe
File Type:	data
Category:	dropped
Size (bytes):	5270528
Entropy (8bit):	7.9999629731866
Encrypted:	true
SSDEEP:	98304:vNrxUQc0c9rXrLStNFw5AxFZuuZoVBSVgdCu+79qXsj1aQwe5XBZsgMUitjYcCvm:vFmFNj3YXw5yOvrSKCu+hqckzGrsBUin
MD5:	745E2ACFA4F059226B9F7E9471535290
SHA1:	BF7448FC102AD1CEC84A8DA1253DB0A6FF7537B3
SHA-256:	9424B6D8746DF0CBAA6D0D4D932F24C856FD8BF84B0A990D5ECC9C207F9C8110
SHA-512:	B2F923DF692DB58B5C94035172DFB948E2514177F428608FF05C214984A274B85133A2CD7E7F70AF1F6C84C3BDB14EE7EF6792EB98C7846D82DAC2156E1EDD71
Malicious:	false
Preview:	z..........bz..9)...Gg]B0...k!.nX..BT...y..t=....5#.N.^8o..'D.-...F.i.%.......M8..^.q...z...zNV2..M.......V+..U....k<.}.M..y..zGb......{....>......r..j.n.6R...:.......(,H.p..I.{.....B.....x.ro..pe.N.....j.....htr.....Y.)p(...^M~.Q......._..P.......pt\|F..J\&F..h..f.C..........\........g....xQ...'jk........m9...l..B.....w<.4..s.6.2.4.[..q....bY...ge0..........ne...r&.\|..l.(.-(vXk.0.Yx.c/......e.....I`...@.}..jonk..DqV......r.H./..g"...0..C.4...U. .f..(..y......n.S...0J....^s...9.2.vZ...2Kg.....x-...].?.."@..;9L4...^..7A...0!r.?..mn.c.lyn... mM...~..1."...Z%...3...\|z.U.ND.w..P.E.Z..=.3..P$.RQ......../.^.+.F!.O..Q...,Y.{6qX.A.....r&......i..U..h.y...0.8.N.35.......6......2&S......Zd....=c..S.*.......s..tfa.g..".H....a]z]...._.>..B.e.C!..9.<...@.....((....ww,..0.{.An.D..?...I[.....8.......A.&.....?....".D....#Sxy.c....\|..Fj.\ca.hH...A.1I..T...y..v..iV[.J+6e...T......7.....-....<.'..xu.w.}..N.txK..G.W..{.....)..Td.l.. kz...To?...>.3.....D..

C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3014144
Entropy (8bit):	6.3940879430705095
Encrypted:	false
SSDEEP:	49152:QLJwSihjOb6GLb4SKEs3DyOMC2DlgwccAP8SOHxVkTE0:swSi0b67zeC/wccAP85H
MD5:	64ED0A358C4A5D732D5DC267554B3B55
SHA1:	BF71A117062384A9A514185EC5AB832014310B11
SHA-256:	03C2CED3610CF2AEA0D84DC0721ECFF15230C53DAD0ABFA5FA6CE934F1BACDBA
SHA-512:	5F239686148E05257E07241D1325FEF6A7C799142005113DE3FC31AD619D54630B866617D10BE978CE0D6EE59280D4CEC2C233240D3677B80D0A86E57D68DE72
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....]_.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...0.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ACEOLEDB.DLL

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\CryptoPP530Fips32.dll

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.CodeAnalysis.CSharp.resources.dll

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\divx_ssleay32.dll

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_aac.dll

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.a3x

C:\9e146be9-c76a-4720-bcdb-53011b87bd06\medusa.adt

C:\Users\user\AppData\Local\Temp\is-5TAQ4.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

C:\Users\user\AppData\Local\Temp\is-CAP8V.tmp\SecuriteInfo.com.W32.PossibleThreat.20086.24920.tmp

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.20086.24920.exe