Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Analysis ID:	1640953
MD5:	e5481d0bd29388b2025a9db3167b66ce
SHA1:	78dc24a45304b5eec3c904e4248bd56765968d96
SHA256:	b90b6f766b3e75cbd0cb02ac6f732e81071d3d2409b101d7986878458de2f9c5
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe" MD5: E5481D0BD29388B2025A9DB3167B66CE)

SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe (PID: 1692 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe" MD5: E5481D0BD29388B2025A9DB3167B66CE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7265039693:AAEgBQWh2zD6Y0qjiHnF71BlD3yWIMzprMM/sendMessage?chat_id=7886581547", "Token": "7265039693:AAEgBQWh2zD6Y0qjiHnF71BlD3yWIMzprMM", "Chat_id": "7886581547", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148bb:$a1: get_encryptedPassword 0x14ba7:$a2: get_encryptedUsername 0x146c7:$a3: get_timePasswordChanged 0x147c2:$a4: get_passwordField 0x148d1:$a5: set_encryptedPassword 0x15f72:$a7: get_logins 0x15ed5:$a10: KeyLoggerEventArgs 0x15b40:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198c0:$x1: $%SMTPDV$ 0x182a4:$x2: $#TheHashHere%& 0x19868:$x3: %FTPDV$ 0x18244:$x4: $%TelegramDv$ 0x15b40:$x5: KeyLoggerEventArgs 0x15ed5:$x5: KeyLoggerEventArgs 0x1988c:$m2: Clipboard Logs ID 0x19aca:$m2: Screenshot Logs ID 0x19bda:$m2: keystroke Logs ID 0x19eb4:$m3: SnakePW 0x19aa2:$m4: \SnakeKeylogger\
00000002.00000002.3647546568.00000000032EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1642b:$a1: get_encryptedPassword 0x36e4b:$a1: get_encryptedPassword 0x5766b:$a1: get_encryptedPassword 0x16717:$a2: get_encryptedUsername 0x37137:$a2: get_encryptedUsername 0x57957:$a2: get_encryptedUsername 0x16237:$a3: get_timePasswordChanged 0x36c57:$a3: get_timePasswordChanged 0x57477:$a3: get_timePasswordChanged 0x16332:$a4: get_passwordField 0x36d52:$a4: get_passwordField 0x57572:$a4: get_passwordField 0x16441:$a5: set_encryptedPassword 0x36e61:$a5: set_encryptedPassword 0x57681:$a5: set_encryptedPassword 0x17ae2:$a7: get_logins 0x38502:$a7: get_logins 0x58d22:$a7: get_logins 0x17a45:$a10: KeyLoggerEventArgs 0x38465:$a10: KeyLoggerEventArgs 0x58c85:$a10: KeyLoggerEventArgs
00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1b430:$x1: $%SMTPDV$ 0x3be50:$x1: $%SMTPDV$ 0x5c670:$x1: $%SMTPDV$ 0x19e14:$x2: $#TheHashHere%& 0x3a834:$x2: $#TheHashHere%& 0x5b054:$x2: $#TheHashHere%& 0x1b3d8:$x3: %FTPDV$ 0x3bdf8:$x3: %FTPDV$ 0x5c618:$x3: %FTPDV$ 0x19db4:$x4: $%TelegramDv$ 0x3a7d4:$x4: $%TelegramDv$ 0x5aff4:$x4: $%TelegramDv$ 0x176b0:$x5: KeyLoggerEventArgs 0x17a45:$x5: KeyLoggerEventArgs 0x380d0:$x5: KeyLoggerEventArgs 0x38465:$x5: KeyLoggerEventArgs 0x588f0:$x5: KeyLoggerEventArgs 0x58c85:$x5: KeyLoggerEventArgs 0x1b3fc:$m2: Clipboard Logs ID 0x1b63a:$m2: Screenshot Logs ID 0x1b74a:$m2: keystroke Logs ID
00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x59926:$a1: get_encryptedPassword 0x59c08:$a2: get_encryptedUsername 0x5973c:$a3: get_timePasswordChanged 0x59837:$a4: get_passwordField 0x5993c:$a5: set_encryptedPassword 0x5be12:$a7: get_logins 0x5bd75:$a10: KeyLoggerEventArgs 0x5b9e0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5b9e0:$x5: KeyLoggerEventArgs 0x5bd75:$x5: KeyLoggerEventArgs 0x5c94e:$x5: KeyLoggerEventArgs 0x5ccaf:$x5: KeyLoggerEventArgs 0x5df9f:$m2: Clipboard Logs ID 0x5e0a5:$m2: Screenshot Logs ID 0x5e0fb:$m2: keystroke Logs ID 0x5e230:$m3: SnakePW 0x5e091:$m4: \SnakeKeylogger\
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e5fc:$a1: get_encryptedPassword 0x2e8de:$a2: get_encryptedUsername 0x2e412:$a3: get_timePasswordChanged 0x2e50d:$a4: get_passwordField 0x2e612:$a5: set_encryptedPassword 0x30ae8:$a7: get_logins 0x30a4b:$a10: KeyLoggerEventArgs 0x306b6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x306b6:$x5: KeyLoggerEventArgs 0x30a4b:$x5: KeyLoggerEventArgs 0x31624:$x5: KeyLoggerEventArgs 0x31985:$x5: KeyLoggerEventArgs 0x32c75:$m2: Clipboard Logs ID 0x32d7b:$m2: Screenshot Logs ID 0x32dd1:$m2: keystroke Logs ID 0x32f06:$m3: SnakePW 0x32d67:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cbb:$a1: get_encryptedPassword 0x12fa7:$a2: get_encryptedUsername 0x12ac7:$a3: get_timePasswordChanged 0x12bc2:$a4: get_passwordField 0x12cd1:$a5: set_encryptedPassword 0x14372:$a7: get_logins 0x142d5:$a10: KeyLoggerEventArgs 0x13f40:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a676:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cdb:$a4: \Orbitum\User Data\Default\Login Data 0x1ad1a:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c6:$s1: UnHook 0x138cd:$s2: SetHook 0x138d5:$s3: CallNextHook 0x138e2:$s4: _hook
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cc0:$x1: $%SMTPDV$ 0x166a4:$x2: $#TheHashHere%& 0x17c68:$x3: %FTPDV$ 0x16644:$x4: $%TelegramDv$ 0x13f40:$x5: KeyLoggerEventArgs 0x142d5:$x5: KeyLoggerEventArgs 0x17c8c:$m2: Clipboard Logs ID 0x17eca:$m2: Screenshot Logs ID 0x17fda:$m2: keystroke Logs ID 0x182b4:$m3: SnakePW 0x17ea2:$m4: \SnakeKeylogger\
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cbb:$a1: get_encryptedPassword 0x12fa7:$a2: get_encryptedUsername 0x12ac7:$a3: get_timePasswordChanged 0x12bc2:$a4: get_passwordField 0x12cd1:$a5: set_encryptedPassword 0x14372:$a7: get_logins 0x142d5:$a10: KeyLoggerEventArgs 0x13f40:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a676:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cdb:$a4: \Orbitum\User Data\Default\Login Data 0x1ad1a:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c6:$s1: UnHook 0x138cd:$s2: SetHook 0x138d5:$s3: CallNextHook 0x138e2:$s4: _hook
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cc0:$x1: $%SMTPDV$ 0x166a4:$x2: $#TheHashHere%& 0x17c68:$x3: %FTPDV$ 0x16644:$x4: $%TelegramDv$ 0x13f40:$x5: KeyLoggerEventArgs 0x142d5:$x5: KeyLoggerEventArgs 0x17c8c:$m2: Clipboard Logs ID 0x17eca:$m2: Screenshot Logs ID 0x17fda:$m2: keystroke Logs ID 0x182b4:$m3: SnakePW 0x17ea2:$m4: \SnakeKeylogger\
2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14abb:$a1: get_encryptedPassword 0x14da7:$a2: get_encryptedUsername 0x148c7:$a3: get_timePasswordChanged 0x149c2:$a4: get_passwordField 0x14ad1:$a5: set_encryptedPassword 0x16172:$a7: get_logins 0x160d5:$a10: KeyLoggerEventArgs 0x15d40:$a11: KeyLoggerEventArgsEventHandler
2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c476:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a8:$a3: \Google\Chrome\User Data\Default\Login Data 0x1badb:$a4: \Orbitum\User Data\Default\Login Data 0x1cb1a:$a5: \Kometa\User Data\Default\Login Data
2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c6:$s1: UnHook 0x156cd:$s2: SetHook 0x156d5:$s3: CallNextHook 0x156e2:$s4: _hook
2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ac0:$x1: $%SMTPDV$ 0x184a4:$x2: $#TheHashHere%& 0x19a68:$x3: %FTPDV$ 0x18444:$x4: $%TelegramDv$ 0x15d40:$x5: KeyLoggerEventArgs 0x160d5:$x5: KeyLoggerEventArgs 0x19a8c:$m2: Clipboard Logs ID 0x19cca:$m2: Screenshot Logs ID 0x19dda:$m2: keystroke Logs ID 0x1a0b4:$m3: SnakePW 0x19ca2:$m4: \SnakeKeylogger\
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14abb:$a1: get_encryptedPassword 0x352db:$a1: get_encryptedPassword 0x14da7:$a2: get_encryptedUsername 0x355c7:$a2: get_encryptedUsername 0x148c7:$a3: get_timePasswordChanged 0x350e7:$a3: get_timePasswordChanged 0x149c2:$a4: get_passwordField 0x351e2:$a4: get_passwordField 0x14ad1:$a5: set_encryptedPassword 0x352f1:$a5: set_encryptedPassword 0x16172:$a7: get_logins 0x36992:$a7: get_logins 0x160d5:$a10: KeyLoggerEventArgs 0x368f5:$a10: KeyLoggerEventArgs 0x15d40:$a11: KeyLoggerEventArgsEventHandler 0x36560:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c6:$s1: UnHook 0x35ee6:$s1: UnHook 0x156cd:$s2: SetHook 0x35eed:$s2: SetHook 0x156d5:$s3: CallNextHook 0x35ef5:$s3: CallNextHook 0x156e2:$s4: _hook 0x35f02:$s4: _hook
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ac0:$x1: $%SMTPDV$ 0x3a2e0:$x1: $%SMTPDV$ 0x184a4:$x2: $#TheHashHere%& 0x38cc4:$x2: $#TheHashHere%& 0x19a68:$x3: %FTPDV$ 0x3a288:$x3: %FTPDV$ 0x18444:$x4: $%TelegramDv$ 0x38c64:$x4: $%TelegramDv$ 0x15d40:$x5: KeyLoggerEventArgs 0x160d5:$x5: KeyLoggerEventArgs 0x36560:$x5: KeyLoggerEventArgs 0x368f5:$x5: KeyLoggerEventArgs 0x19a8c:$m2: Clipboard Logs ID 0x19cca:$m2: Screenshot Logs ID 0x19dda:$m2: keystroke Logs ID 0x3a2ac:$m2: Clipboard Logs ID 0x3a4ea:$m2: Screenshot Logs ID 0x3a5fa:$m2: keystroke Logs ID 0x1a0b4:$m3: SnakePW 0x3a8d4:$m3: SnakePW 0x19ca2:$m4: \SnakeKeylogger\
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14abb:$a1: get_encryptedPassword 0x354db:$a1: get_encryptedPassword 0x55cfb:$a1: get_encryptedPassword 0x14da7:$a2: get_encryptedUsername 0x357c7:$a2: get_encryptedUsername 0x55fe7:$a2: get_encryptedUsername 0x148c7:$a3: get_timePasswordChanged 0x352e7:$a3: get_timePasswordChanged 0x55b07:$a3: get_timePasswordChanged 0x149c2:$a4: get_passwordField 0x353e2:$a4: get_passwordField 0x55c02:$a4: get_passwordField 0x14ad1:$a5: set_encryptedPassword 0x354f1:$a5: set_encryptedPassword 0x55d11:$a5: set_encryptedPassword 0x16172:$a7: get_logins 0x36b92:$a7: get_logins 0x573b2:$a7: get_logins 0x160d5:$a10: KeyLoggerEventArgs 0x36af5:$a10: KeyLoggerEventArgs 0x57315:$a10: KeyLoggerEventArgs
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c6:$s1: UnHook 0x360e6:$s1: UnHook 0x56906:$s1: UnHook 0x156cd:$s2: SetHook 0x360ed:$s2: SetHook 0x5690d:$s2: SetHook 0x156d5:$s3: CallNextHook 0x360f5:$s3: CallNextHook 0x56915:$s3: CallNextHook 0x156e2:$s4: _hook 0x36102:$s4: _hook 0x56922:$s4: _hook
0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ac0:$x1: $%SMTPDV$ 0x3a4e0:$x1: $%SMTPDV$ 0x5ad00:$x1: $%SMTPDV$ 0x184a4:$x2: $#TheHashHere%& 0x38ec4:$x2: $#TheHashHere%& 0x596e4:$x2: $#TheHashHere%& 0x19a68:$x3: %FTPDV$ 0x3a488:$x3: %FTPDV$ 0x5aca8:$x3: %FTPDV$ 0x18444:$x4: $%TelegramDv$ 0x38e64:$x4: $%TelegramDv$ 0x59684:$x4: $%TelegramDv$ 0x15d40:$x5: KeyLoggerEventArgs 0x160d5:$x5: KeyLoggerEventArgs 0x36760:$x5: KeyLoggerEventArgs 0x36af5:$x5: KeyLoggerEventArgs 0x56f80:$x5: KeyLoggerEventArgs 0x57315:$x5: KeyLoggerEventArgs 0x19a8c:$m2: Clipboard Logs ID 0x19cca:$m2: Screenshot Logs ID 0x19dda:$m2: keystroke Logs ID
Click to see the 23 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T22:28:15.657659+0100	2803305	3	Unknown Traffic	192.168.2.4	49716	104.21.64.1	443	TCP
2025-03-17T22:28:20.895629+0100	2803305	3	Unknown Traffic	192.168.2.4	49727	104.21.64.1	443	TCP
2025-03-17T22:28:23.454853+0100	2803305	3	Unknown Traffic	192.168.2.4	49731	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T22:28:14.110805+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49714	132.226.247.73	80	TCP
2025-03-17T22:28:15.056814+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49714	132.226.247.73	80	TCP
2025-03-17T22:28:16.447425+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49718	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7265039693:AAEgBQWh2zD6Y0qjiHnF71BlD3yWIMzprMM/sendMessage?chat_id=7886581547", "Token": "7265039693:AAEgBQWh2zD6Y0qjiHnF71BlD3yWIMzprMM", "Chat_id": "7886581547", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	ReversingLabs: Detection: 33%
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Virustotal: Detection: 32%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	String decryptor:
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	String decryptor: 7265039693:AAEgBQWh2zD6Y0qjiHnF71BlD3yWIMzprMM
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	String decryptor: 7886581547
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	String decryptor:
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	String decryptor: 7265039693:AAEgBQWh2zD6Y0qjiHnF71BlD3yWIMzprMM
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack	String decryptor: 7886581547

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49715 version: TLS 1.0

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 02F4F1F6h	2_2_02F4F007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 02F4FB80h	2_2_02F4F007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02F4E528
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B31471h	2_2_05B311C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3D471h	2_2_05B3D1C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3CBC1h	2_2_05B3C918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B30BB1h	2_2_05B30900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3D019h	2_2_05B3CD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B31011h	2_2_05B30D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B31A38h	2_2_05B31966
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B30751h	2_2_05B304A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3F731h	2_2_05B3F488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3FB89h	2_2_05B3F8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3C769h	2_2_05B3C4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3F2D9h	2_2_05B3F030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3BEB9h	2_2_05B3BC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3C311h	2_2_05B3C068
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B302F1h	2_2_05B30040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3BA61h	2_2_05B3B7B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3EA29h	2_2_05B3E780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3EE81h	2_2_05B3EBD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3E5D1h	2_2_05B3E328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3B609h	2_2_05B3B360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3E179h	2_2_05B3DED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B31A38h	2_2_05B31620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3D8C9h	2_2_05B3D620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B31A38h	2_2_05B31610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 05B3DD21h	2_2_05B3DA78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D98D4Dh	2_2_06D98A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D969D1h	2_2_06D96728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D96579h	2_2_06D962D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D96121h	2_2_06D95E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D95CC9h	2_2_06D95A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D97281h	2_2_06D96FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06D937C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D96E29h	2_2_06D96B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06D937B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D90B99h	2_2_06D908F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D90741h	2_2_06D90498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D97B59h	2_2_06D978B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D97702h	2_2_06D97458
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D902E9h	2_2_06D90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D98861h	2_2_06D985B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D95849h	2_2_06D955A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D90FF1h	2_2_06D90D48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D98409h	2_2_06D98160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 4x nop then jmp 06D97FB1h	2_2_06D97D08

Source: global traffic

TCP traffic: 192.168.2.4:56797 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49718 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49714 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49727 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49716 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003286000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003228000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003286000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003286000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org8
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000031FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003286000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210892885.00000000077D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003228000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003286000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003228000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003286000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003278000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.00000000032CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1898

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

.NET source code contains very large array initializations

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, VisualizationData.cs	Large array initialization: : array initializer size 497783
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, SelectedData.cs	Large array initialization: SelectedData: array initializer size 3070
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, FormEvents.cs	Large array initialization: FormEvents: array initializer size 3839

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_07E6F548	0_2_07E6F548
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_07E6F550	0_2_07E6F550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_07E6F988	0_2_07E6F988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_07E6F978	0_2_07E6F978
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_081759D0	0_2_081759D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_08170006	0_2_08170006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_08170040	0_2_08170040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_081768E8	0_2_081768E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_08172138	0_2_08172138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_08172148	0_2_08172148
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_08171798	0_2_08171798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 0_2_0817178A	0_2_0817178A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4B328	2_2_02F4B328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4F007	2_2_02F4F007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4C190	2_2_02F4C190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F46108	2_2_02F46108
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4C752	2_2_02F4C752
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4C470	2_2_02F4C470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F44AD9	2_2_02F44AD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4CA32	2_2_02F4CA32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4BBD2	2_2_02F4BBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F46880	2_2_02F46880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F49858	2_2_02F49858
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4BEB0	2_2_02F4BEB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F43572	2_2_02F43572
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4E528	2_2_02F4E528
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_02F4E517	2_2_02F4E517
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B379E8	2_2_05B379E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B336E8	2_2_05B336E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B382D8	2_2_05B382D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B311B0	2_2_05B311B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3D1B8	2_2_05B3D1B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B311C0	2_2_05B311C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3D1C8	2_2_05B3D1C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3C918	2_2_05B3C918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B30900	2_2_05B30900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3C908	2_2_05B3C908
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3CD70	2_2_05B3CD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B30D60	2_2_05B30D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B30D51	2_2_05B30D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3C4B0	2_2_05B3C4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B304A0	2_2_05B304A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B30490	2_2_05B30490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3F488	2_2_05B3F488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B308F0	2_2_05B308F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3F8E0	2_2_05B3F8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3F8D1	2_2_05B3F8D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3C4C0	2_2_05B3C4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3F030	2_2_05B3F030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3F021	2_2_05B3F021
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3BC10	2_2_05B3BC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3BC00	2_2_05B3BC00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B30006	2_2_05B30006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B37C08	2_2_05B37C08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3F478	2_2_05B3F478
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3C068	2_2_05B3C068
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3C058	2_2_05B3C058
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B30040	2_2_05B30040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3B7B8	2_2_05B3B7B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3B7A8	2_2_05B3B7A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3E780	2_2_05B3E780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3EBD8	2_2_05B3EBD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3EBC8	2_2_05B3EBC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3E328	2_2_05B3E328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3E318	2_2_05B3E318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3E770	2_2_05B3E770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3B360	2_2_05B3B360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3B34F	2_2_05B3B34F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3DED0	2_2_05B3DED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B336D8	2_2_05B336D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3DEC1	2_2_05B3DEC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3D620	2_2_05B3D620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3D610	2_2_05B3D610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3DA78	2_2_05B3DA78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B37260	2_2_05B37260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B3DA69	2_2_05B3DA69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9B6F0	2_2_06D9B6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9D678	2_2_06D9D678
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9AA60	2_2_06D9AA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D98A10	2_2_06D98A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9C390	2_2_06D9C390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D96728	2_2_06D96728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9B0A8	2_2_06D9B0A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D99059	2_2_06D99059
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9A410	2_2_06D9A410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9D030	2_2_06D9D030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9C9E0	2_2_06D9C9E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D911A0	2_2_06D911A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9BD40	2_2_06D9BD40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D962D0	2_2_06D962D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D962C0	2_2_06D962C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9B6E1	2_2_06D9B6E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9AA50	2_2_06D9AA50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D95E78	2_2_06D95E78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9D669	2_2_06D9D669
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D95E68	2_2_06D95E68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D95A11	2_2_06D95A11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D98A0A	2_2_06D98A0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D95A20	2_2_06D95A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D96FD8	2_2_06D96FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D96FC9	2_2_06D96FC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D937C0	2_2_06D937C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D96B80	2_2_06D96B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9C380	2_2_06D9C380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D937B0	2_2_06D937B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D96B72	2_2_06D96B72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D96719	2_2_06D96719
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D93B38	2_2_06D93B38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D97CF8	2_2_06D97CF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D908F0	2_2_06D908F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D908E0	2_2_06D908E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D90498	2_2_06D90498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9789F	2_2_06D9789F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D90488	2_2_06D90488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D978B0	2_2_06D978B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D97458	2_2_06D97458
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D97451	2_2_06D97451
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D90040	2_2_06D90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D92C0F	2_2_06D92C0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9A400	2_2_06D9A400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D90007	2_2_06D90007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D94838	2_2_06D94838
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D92C20	2_2_06D92C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9D020	2_2_06D9D020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9C9D0	2_2_06D9C9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D91191	2_2_06D91191
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D985B8	2_2_06D985B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D985A8	2_2_06D985A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D955A0	2_2_06D955A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D98150	2_2_06D98150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D90D48	2_2_06D90D48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D98160	2_2_06D98160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D97D08	2_2_06D97D08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D90D39	2_2_06D90D39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9BD30	2_2_06D9BD30

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1207520648.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1208871690.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1211836261.00000000080F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000000.1181383069.0000000000E18000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameToBz.exe> vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000000.00000002.1210622422.0000000005C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3646096606.0000000001177000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Binary or memory string: OriginalFilenameToBz.exe> vs SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, ---.cs	Base64 encoded string: 'xvt7iejCkuFuSlar/oezVf2tSjyeLol0O56iQIadWLRsK4Fl2D8bRyFVpvZEZHft'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, ---.cs	Base64 encoded string: 'xvt7iejCkuFuSlar/oezVf2tSjyeLol0O56iQIadWLRsK4Fl2D8bRyFVpvZEZHft'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, VtKlMWkUt5LJIYHW47.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, VtKlMWkUt5LJIYHW47.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, VtKlMWkUt5LJIYHW47.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, X8tf2NTPiRMiLlf80U.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, X8tf2NTPiRMiLlf80U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, VtKlMWkUt5LJIYHW47.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, VtKlMWkUt5LJIYHW47.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, VtKlMWkUt5LJIYHW47.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, X8tf2NTPiRMiLlf80U.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, X8tf2NTPiRMiLlf80U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.000000000336B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.000000000335B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3647546568.0000000003379000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	ReversingLabs: Detection: 33%
Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, VtKlMWkUt5LJIYHW47.cs	.Net Code: cc5bD6Sh5X System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, VtKlMWkUt5LJIYHW47.cs	.Net Code: cc5bD6Sh5X System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B32CF0 push esp; iretd	2_2_05B32CF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_05B326A8 push esp; retf	2_2_05B32931
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D99005 push es; ret	2_2_06D9904C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D97420 push 5D906C90h; ret	2_2_06D97443
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Code function: 2_2_06D9F1DC push es; iretd	2_2_06D9F22C

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Static PE information: section name: .text entropy: 7.573189500244981

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, dtZUlxbglGTJkDrYwK.cs	High entropy of concatenated method names: 'pBTqvktk12', 'q7aq3kj0F2', 'oD7qDbNjLI', 'VORqCWM2Hs', 'gsiqxR6uxd', 'R2jqOb9tiY', 'chWqYHfvKY', 'm7GqjVZbj2', 'Tfyq0CWvK2', 'lFQqROrjGr'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, F7Jm8DzpfMncLRy9dQ.cs	High entropy of concatenated method names: 'UooLOAQuTl', 'vWILjv8AVX', 'yUqL005Kt2', 'KRgL29L0M6', 'alQL8JeaTc', 'JAmL7OxMdZ', 'avpLTXCj2A', 'p70LEhEdnY', 'oAELvanZI9', 'unxL3LDOTL'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, KDuqUAUiU7aAlaOKKq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fk11oiUyhD', 'MsL1tkt8jK', 'mUL1zTfwvs', 'KdQsHRHJGs', 'k30sP2lc3R', 'pYAs1OZu1w', 'wd3ssq7ROq', 'YQH6LjqBle2LvwEAMat'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, VtKlMWkUt5LJIYHW47.cs	High entropy of concatenated method names: 'lCUs6bV1cm', 'tNHsFmpUxD', 'JoBsJXaZmw', 'E78scHeZDP', 'XfBsebLrI5', 'YLysAretyv', 'pZxsqDGXTF', 'cPxsy8nXfw', 'Px0sf0qrNu', 'G6hs4gIUFW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, trCZ0OiilwKLPgXtyD6.cs	High entropy of concatenated method names: 'XcTLtoFwlU', 'lR9LzBRSvi', 'iBhKHdEa03', 'JtLKPs6tP1', 'k1cK1HaJ6F', 'e9CKsr0X3Q', 'wDBKbgPQIY', 'kZaK6ppFGd', 'aY0KF0qI48', 'ogfKJOYeq5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, OFedRUp96REPNdOkD2.cs	High entropy of concatenated method names: 'zIV5XHdWPS', 't2259fZyFt', 'LDy5BR703r', 'wCT5ihWp87', 'F2658pfayT', 'raw5hQRT69', 'j3C57f49C6', 'faG5TVZoha', 'iA95VmB5E9', 'HeF5uUhbv6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, vkqgZNj9l4Ra9u1s7J.cs	High entropy of concatenated method names: 'hLtA6EBL4y', 'N1pAJB5C0I', 'RqSAe7eIcK', 'HaKAqPHaWp', 'j6ZAyDUK8b', 'FiMeSw6FM7', 'NyKerEL10n', 'gg1ew60Ag1', 'lLgenT4FFW', 'nkveoWs17c'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, X8tf2NTPiRMiLlf80U.cs	High entropy of concatenated method names: 'gL4JBGQdeX', 'R05JiQnybj', 'epVJU2fPqA', 'vXqJluHQDV', 'NkDJSsqlOg', 'd2CJrqNT3D', 'V1KJwVoD7G', 'afPJnv26BT', 'VNIJoVsTL6', 'VUjJtLCbCk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, cCLoqJ7YkfCEP9MMOQ.cs	High entropy of concatenated method names: 'xhONnwXNeo', 'jpqNt0U7dJ', 'VsskHRIMQe', 'bFVkPAoYmD', 'TIwNGxhDDO', 'smjN9wFh0o', 'hB9Np7brhq', 'PrjNBTBDTe', 'HZUNipfkiH', 'DrDNUVKe5A'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, tgGZHBOV9nFhhTRwIc.cs	High entropy of concatenated method names: 'Uw8qFUY67l', 'G7Wqc4Bb6s', 'QEjqAGWY13', 'u53AtFcWVF', 'DFQAzWolyr', 'OFjqHgK0rc', 'NkRqPIlfSD', 'KpBq1RGiJ8', 'cdVqsW8Sw2', 'Ri3qbrV98y'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, Q5Q2hfi5LFO329wM8R6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yuIMme7rfR', 'nhqMLPMMdq', 'quwMKvFqjr', 'pGcMMW2q9o', 'b6rMalhdh4', 'VOeMImHDwp', 'PbbME6p80T'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, qUW6xDxD2VwbSxqimb.cs	High entropy of concatenated method names: 'UfYcC5V0qk', 'gQucOApUI5', 'QBNcj137iU', 'nr0c0C2mvD', 'E0dc5bPV02', 'th1cgATfGA', 'EphcNRTCjZ', 'qVXckIjGdo', 'NU3cmZU7NY', 'gAncL1uFrC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, B93CZ0Earl2Zpo7DQu.cs	High entropy of concatenated method names: 'z6iZjQ7WiM', 'K8VZ0avgAN', 'ORkZ2RKjeV', 'UKrZ8Y5taC', 'sZHZ7Daa4c', 'G9PZTkiV7b', 'H7MZu0qWfr', 'PlPZW983op', 'scrZXgAetA', 'TJiZGRU4wg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, lZn8bss17FVr3RD4bf.cs	High entropy of concatenated method names: 'MHCDQBehq', 'eSfC3gYTX', 'pPVOGQUAn', 'kY4YQJmtE', 'ysu01YNvs', 'MkcRdTgyn', 'FWuOdYjAS6JXGrW7M1', 'DdAm43K2ScpCawmSxt', 'e6YkiTj7h', 'PaHLRFS5w'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, v9DMC6ieQHx20TLUFIB.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Aj8LGQCSLf', 'iKPL9ThmRG', 'AXVLp0Ra5d', 'L4YLBZuXhD', 'gyoLiKCoWK', 'kuhLUxG5ID', 'atrLl5Fhln'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, bm5U0d5w4MyAnlKagk.cs	High entropy of concatenated method names: 'KfnPqCS5T4', 'W4QPyfl7hs', 'N36P4gFnei', 'Sc6PQwZ38D', 'yfIP51qPUG', 'hX0PgTHYBE', 'JqiEvT9RO3Ua6FOiyO', 'cCcREtdEeoGosDdutC', 'SqZPPIR1oH', 'UtTPspmuSa'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, ToZCwDhT8sIeVS30Em.cs	High entropy of concatenated method names: 'DTbm5FjODL', 'nFCmNjCA6e', 'wLOmmHKKuT', 'TWxmKTEYuX', 'sKYmaD4bZc', 'mIamE9xWcW', 'Dispose', 'Xd8kFfFbkV', 'oUlkJjW1xr', 'Ovrkc65UFJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, oNNe91VutBA3npVvlB.cs	High entropy of concatenated method names: 'ssaN4wBq54', 'RskNQVcqwB', 'ToString', 'mvTNF1P1x8', 'XbuNJLiLGc', 'oAuNcu9Bi6', 'o7VNeDW6ig', 'ITgNAPXlU6', 'JKyNqjoaUq', 'mJENyK0VUU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, ek0KX6o6NsvPVawYRn.cs	High entropy of concatenated method names: 'bQvLc0trlo', 'ej1Le9tcj2', 'WYHLACqhZ4', 'WcQLqrcs9u', 'R1hLmoDJoJ', 'a8YLyufUgt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, V9RuHENpEU8MoobCZI.cs	High entropy of concatenated method names: 't12exU1peu', 'xdQeY4Cj7G', 'KglchDitnA', 'LF0c7XouwJ', 'Q4pcTnfYwZ', 'PVacV96Kk2', 'sT5cuyOM7x', 'EDTcW2Hd9h', 'SNQcd2Z1Ji', 'lkgcXi7jbB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, Dm91nCfIUrYMpG6Ldo.cs	High entropy of concatenated method names: 'Dispose', 'oy7PoNOuGI', 'EkB18bO7lH', 'TtFMSvurOT', 'mjuPtKigT2', 'vsnPzVYGse', 'ProcessDialogKey', 'rHc1HupGXf', 'Th71P5gpip', 'I9i114BknS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.80f0000.6.raw.unpack, NMpHpNLZqcWxUsIIoP.cs	High entropy of concatenated method names: 'fCwm2wA5bY', 'KZxm8BFt2X', 'QlImhWrUhw', 'uIem7IwaHL', 'aYlmTyiWps', 'HnKmVVZ6SJ', 'Xtwmujmicx', 'On1mW0UgfQ', 'FxOmdQet7D', 'ENLmX0asMV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, dtZUlxbglGTJkDrYwK.cs	High entropy of concatenated method names: 'pBTqvktk12', 'q7aq3kj0F2', 'oD7qDbNjLI', 'VORqCWM2Hs', 'gsiqxR6uxd', 'R2jqOb9tiY', 'chWqYHfvKY', 'm7GqjVZbj2', 'Tfyq0CWvK2', 'lFQqROrjGr'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, F7Jm8DzpfMncLRy9dQ.cs	High entropy of concatenated method names: 'UooLOAQuTl', 'vWILjv8AVX', 'yUqL005Kt2', 'KRgL29L0M6', 'alQL8JeaTc', 'JAmL7OxMdZ', 'avpLTXCj2A', 'p70LEhEdnY', 'oAELvanZI9', 'unxL3LDOTL'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, KDuqUAUiU7aAlaOKKq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fk11oiUyhD', 'MsL1tkt8jK', 'mUL1zTfwvs', 'KdQsHRHJGs', 'k30sP2lc3R', 'pYAs1OZu1w', 'wd3ssq7ROq', 'YQH6LjqBle2LvwEAMat'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, VtKlMWkUt5LJIYHW47.cs	High entropy of concatenated method names: 'lCUs6bV1cm', 'tNHsFmpUxD', 'JoBsJXaZmw', 'E78scHeZDP', 'XfBsebLrI5', 'YLysAretyv', 'pZxsqDGXTF', 'cPxsy8nXfw', 'Px0sf0qrNu', 'G6hs4gIUFW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, trCZ0OiilwKLPgXtyD6.cs	High entropy of concatenated method names: 'XcTLtoFwlU', 'lR9LzBRSvi', 'iBhKHdEa03', 'JtLKPs6tP1', 'k1cK1HaJ6F', 'e9CKsr0X3Q', 'wDBKbgPQIY', 'kZaK6ppFGd', 'aY0KF0qI48', 'ogfKJOYeq5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, OFedRUp96REPNdOkD2.cs	High entropy of concatenated method names: 'zIV5XHdWPS', 't2259fZyFt', 'LDy5BR703r', 'wCT5ihWp87', 'F2658pfayT', 'raw5hQRT69', 'j3C57f49C6', 'faG5TVZoha', 'iA95VmB5E9', 'HeF5uUhbv6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, vkqgZNj9l4Ra9u1s7J.cs	High entropy of concatenated method names: 'hLtA6EBL4y', 'N1pAJB5C0I', 'RqSAe7eIcK', 'HaKAqPHaWp', 'j6ZAyDUK8b', 'FiMeSw6FM7', 'NyKerEL10n', 'gg1ew60Ag1', 'lLgenT4FFW', 'nkveoWs17c'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, X8tf2NTPiRMiLlf80U.cs	High entropy of concatenated method names: 'gL4JBGQdeX', 'R05JiQnybj', 'epVJU2fPqA', 'vXqJluHQDV', 'NkDJSsqlOg', 'd2CJrqNT3D', 'V1KJwVoD7G', 'afPJnv26BT', 'VNIJoVsTL6', 'VUjJtLCbCk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, cCLoqJ7YkfCEP9MMOQ.cs	High entropy of concatenated method names: 'xhONnwXNeo', 'jpqNt0U7dJ', 'VsskHRIMQe', 'bFVkPAoYmD', 'TIwNGxhDDO', 'smjN9wFh0o', 'hB9Np7brhq', 'PrjNBTBDTe', 'HZUNipfkiH', 'DrDNUVKe5A'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, tgGZHBOV9nFhhTRwIc.cs	High entropy of concatenated method names: 'Uw8qFUY67l', 'G7Wqc4Bb6s', 'QEjqAGWY13', 'u53AtFcWVF', 'DFQAzWolyr', 'OFjqHgK0rc', 'NkRqPIlfSD', 'KpBq1RGiJ8', 'cdVqsW8Sw2', 'Ri3qbrV98y'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, Q5Q2hfi5LFO329wM8R6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yuIMme7rfR', 'nhqMLPMMdq', 'quwMKvFqjr', 'pGcMMW2q9o', 'b6rMalhdh4', 'VOeMImHDwp', 'PbbME6p80T'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, qUW6xDxD2VwbSxqimb.cs	High entropy of concatenated method names: 'UfYcC5V0qk', 'gQucOApUI5', 'QBNcj137iU', 'nr0c0C2mvD', 'E0dc5bPV02', 'th1cgATfGA', 'EphcNRTCjZ', 'qVXckIjGdo', 'NU3cmZU7NY', 'gAncL1uFrC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, B93CZ0Earl2Zpo7DQu.cs	High entropy of concatenated method names: 'z6iZjQ7WiM', 'K8VZ0avgAN', 'ORkZ2RKjeV', 'UKrZ8Y5taC', 'sZHZ7Daa4c', 'G9PZTkiV7b', 'H7MZu0qWfr', 'PlPZW983op', 'scrZXgAetA', 'TJiZGRU4wg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, lZn8bss17FVr3RD4bf.cs	High entropy of concatenated method names: 'MHCDQBehq', 'eSfC3gYTX', 'pPVOGQUAn', 'kY4YQJmtE', 'ysu01YNvs', 'MkcRdTgyn', 'FWuOdYjAS6JXGrW7M1', 'DdAm43K2ScpCawmSxt', 'e6YkiTj7h', 'PaHLRFS5w'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, v9DMC6ieQHx20TLUFIB.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Aj8LGQCSLf', 'iKPL9ThmRG', 'AXVLp0Ra5d', 'L4YLBZuXhD', 'gyoLiKCoWK', 'kuhLUxG5ID', 'atrLl5Fhln'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, bm5U0d5w4MyAnlKagk.cs	High entropy of concatenated method names: 'KfnPqCS5T4', 'W4QPyfl7hs', 'N36P4gFnei', 'Sc6PQwZ38D', 'yfIP51qPUG', 'hX0PgTHYBE', 'JqiEvT9RO3Ua6FOiyO', 'cCcREtdEeoGosDdutC', 'SqZPPIR1oH', 'UtTPspmuSa'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, ToZCwDhT8sIeVS30Em.cs	High entropy of concatenated method names: 'DTbm5FjODL', 'nFCmNjCA6e', 'wLOmmHKKuT', 'TWxmKTEYuX', 'sKYmaD4bZc', 'mIamE9xWcW', 'Dispose', 'Xd8kFfFbkV', 'oUlkJjW1xr', 'Ovrkc65UFJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, oNNe91VutBA3npVvlB.cs	High entropy of concatenated method names: 'ssaN4wBq54', 'RskNQVcqwB', 'ToString', 'mvTNF1P1x8', 'XbuNJLiLGc', 'oAuNcu9Bi6', 'o7VNeDW6ig', 'ITgNAPXlU6', 'JKyNqjoaUq', 'mJENyK0VUU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, ek0KX6o6NsvPVawYRn.cs	High entropy of concatenated method names: 'bQvLc0trlo', 'ej1Le9tcj2', 'WYHLACqhZ4', 'WcQLqrcs9u', 'R1hLmoDJoJ', 'a8YLyufUgt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, V9RuHENpEU8MoobCZI.cs	High entropy of concatenated method names: 't12exU1peu', 'xdQeY4Cj7G', 'KglchDitnA', 'LF0c7XouwJ', 'Q4pcTnfYwZ', 'PVacV96Kk2', 'sT5cuyOM7x', 'EDTcW2Hd9h', 'SNQcd2Z1Ji', 'lkgcXi7jbB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, Dm91nCfIUrYMpG6Ldo.cs	High entropy of concatenated method names: 'Dispose', 'oy7PoNOuGI', 'EkB18bO7lH', 'TtFMSvurOT', 'mjuPtKigT2', 'vsnPzVYGse', 'ProcessDialogKey', 'rHc1HupGXf', 'Th71P5gpip', 'I9i114BknS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.43b2398.2.raw.unpack, NMpHpNLZqcWxUsIIoP.cs	High entropy of concatenated method names: 'fCwm2wA5bY', 'KZxm8BFt2X', 'QlImhWrUhw', 'uIem7IwaHL', 'aYlmTyiWps', 'HnKmVVZ6SJ', 'Xtwmujmicx', 'On1mW0UgfQ', 'FxOmdQet7D', 'ENLmX0asMV'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 99F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 8560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: A9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: B9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599695	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597686	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597356	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595246	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595027	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594743	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594542	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594094	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Window / User API: threadDelayed 1558			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Window / User API: threadDelayed 8283			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6584	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6956	Thread sleep count: 1558 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6956	Thread sleep count: 8283 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595246s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -595027s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -594743s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -594542s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe TID: 6960	Thread sleep time: -594094s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599695	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597686	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597356	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595246	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 595027	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594743	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594542	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Thread delayed: delay time: 594094	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe, 00000002.00000002.3646157598.000000000121C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Code function: 2_2_05B379E8 LdrInitializeThunk,

2_2_05B379E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3647546568.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.429a390.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe.4279970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3645837674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3647546568.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1209255105.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3647546568.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe PID: 1692, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.11507.25552.exe