Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
Analysis ID:756190
MD5:65cf34490748f7924db84dc043f5d81e
SHA1:1ea50942d4acf0561bd6bcb3fe0195069eb5c259
SHA256:96642679196d3f732718eebf2e7970d7eca03ddc4645b3f0292db847ed82b24e
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe (PID: 5996 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe MD5: 65CF34490748F7924DB84DC043F5D81E)
    • schtasks.exe (PID: 4572 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • IwUNvHNy.exe (PID: 4664 cmdline: C:\Users\user\AppData\Roaming\IwUNvHNy.exe MD5: 65CF34490748F7924DB84DC043F5D81E)
    • schtasks.exe (PID: 3236 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • IwUNvHNy.exe (PID: 5060 cmdline: {path} MD5: 65CF34490748F7924DB84DC043F5D81E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000E.00000002.525739728.0000000003164000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
          • 0x15a83a:$a13: get_DnsResolver
          • 0x190a5a:$a13: get_DnsResolver
          • 0x158f64:$a20: get_LastAccessed
          • 0x18f184:$a20: get_LastAccessed
          • 0x15b247:$a27: set_InternalServerPort
          • 0x191467:$a27: set_InternalServerPort
          • 0x15b590:$a30: set_GuidMasterKey
          • 0x1917b0:$a30: set_GuidMasterKey
          • 0x159076:$a33: get_Clipboard
          • 0x18f296:$a33: get_Clipboard
          • 0x159084:$a34: get_Keyboard
          • 0x18f2a4:$a34: get_Keyboard
          • 0x15a425:$a35: get_ShiftKeyDown
          • 0x190645:$a35: get_ShiftKeyDown
          • 0x15a436:$a36: get_AltKeyDown
          • 0x190656:$a36: get_AltKeyDown
          • 0x159091:$a37: get_Password
          • 0x18f2b1:$a37: get_Password
          • 0x159b80:$a38: get_PasswordHash
          • 0x18fda0:$a38: get_PasswordHash
          • 0x15ac7b:$a39: get_DefaultCredentials
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32bcc:$s10: logins
              • 0x3264c:$s11: credential
              • 0x2e906:$g1: get_Clipboard
              • 0x2e914:$g2: get_Keyboard
              • 0x2e921:$g3: get_Password
              • 0x2fca5:$g4: get_CtrlKeyDown
              • 0x2fcb5:$g5: get_ShiftKeyDown
              • 0x2fcc6:$g6: get_AltKeyDown
              0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x300ca:$a13: get_DnsResolver
              • 0x2e7f4:$a20: get_LastAccessed
              • 0x30ad7:$a27: set_InternalServerPort
              • 0x30e20:$a30: set_GuidMasterKey
              • 0x2e906:$a33: get_Clipboard
              • 0x2e914:$a34: get_Keyboard
              • 0x2fcb5:$a35: get_ShiftKeyDown
              • 0x2fcc6:$a36: get_AltKeyDown
              • 0x2e921:$a37: get_Password
              • 0x2f410:$a38: get_PasswordHash
              • 0x3050b:$a39: get_DefaultCredentials
              10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 13 entries

                Sigma Signatures

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, ParentProcessId: 5996, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp, ProcessId: 4572, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:192.168.2.6111.118.212.38497235872030171 11/29/22-19:38:19.561263
                SID:2030171
                Source Port:49723
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.6111.118.212.38497185872030171 11/29/22-19:37:32.174046
                SID:2030171
                Source Port:49718
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeJoe Sandbox ML: detected
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.strictfacilityservices.com", "Username": "accounts@strictfacilityservices.com", "Password": "SFS!@#321"}
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.6:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: ImbSRib.pdb source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr
                Source: Binary string: ImbSRib.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49718 -> 111.118.212.38:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49723 -> 111.118.212.38:587
                May check the online IP address of the machine
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeDNS query: name: api.ipify.org
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewIP Address: 3.232.242.170 3.232.242.170
                Source: Joe Sandbox ViewIP Address: 3.232.242.170 3.232.242.170
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficTCP traffic: 192.168.2.6:49718 -> 111.118.212.38:587
                Source: global trafficTCP traffic: 192.168.2.6:49718 -> 111.118.212.38:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UrUbMY.com
                Source: IwUNvHNy.exe, 0000000E.00000002.522029143.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000003.478235783.00000000014EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537441042.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.strictfacilityservices.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://strictfacilityservices.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: IwUNvHNy.exe, 0000000E.00000002.533988988.00000000033AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://LwV7dxVvQwzS29UTCu.com
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgmail.strictfacilityservices.comaccounts
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.6:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49720 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.308476627.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 11.2.IwUNvHNy.exe.293a138.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.31ea1d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0063866u002d9900u002d46A9u002dBAF8u002dC30A0EC83145u007d/u00340AC4BAEu002d6FADu002d49F9u002dADA9u002d9C669FAB2230.csLarge array initialization: .cctor: array initializer size 10995
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 11.2.IwUNvHNy.exe.293a138.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.31ea1d8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_0177C1B4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_0177E670
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_0177E680
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_0764A758
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_00F6FC18
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_00F66D40
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_05C9C690
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_05C9D3F0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_05C90040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_05C90930
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_05C92A40
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695EED0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695AEE8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695E608
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06958D38
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695D620
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695E4B8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695A4D1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06953582
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_069535CD
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_069525F8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695393D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06A13630
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06A10DF8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06A15A40
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06A18936
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.321918761.0000000004396000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImbSRib.exe> vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000000.247679253.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImbSRib.exe> vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.336301911.0000000007900000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.336921010.0000000007B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000000.306091299.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2f5267af-d0fd-4225-915c-9145a26ede74.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.515826219.00000000009C8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeBinary or memory string: OriginalFilenameImbSRib.exe> vs SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: IwUNvHNy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeJump to behavior
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe {path}
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe {path}
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe {path}
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile created: C:\Users\user\AppData\Roaming\IwUNvHNy.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2885.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/5@8/3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.533880497.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.533836133.00000000033A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:644:120:WilError_01
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeMutant created: \Sessions\1\BaseNamedObjects\wGWyZQWLyISRnwWQTXN
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: ImbSRib.pdb source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr
                Source: Binary string: ImbSRib.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, IwUNvHNy.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, frmMain.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: IwUNvHNy.exe.0.dr, frmMain.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.cf0000.0.unpack, frmMain.cs.Net Code: XCXCXCXCXCXCXC System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, frmMain.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: IwUNvHNy.exe.0.dr, frmMain.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.cf0000.0.unpack, frmMain.cs.Net Code: NewLateBinding.LateCall(A028, null, "Invoke", stackVariable31, null, null, stackVariable40, true)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_0177D469 pushfd ; ret
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_07645D28 push esp; retf
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_07645DCB pushfd ; retf
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 0_2_07644B70 push eax; ret
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06952A47 push edi; retn 0000h
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695BA41 push edi; iretd
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06953582 push es; retf
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_069535CD push es; retf
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_0695393D push es; retf
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06A15A40 push es; retf A165h
                Source: initial sampleStatic PE information: section name: .text entropy: 7.533959618381255
                Source: initial sampleStatic PE information: section name: .text entropy: 7.533959618381255
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile created: C:\Users\user\AppData\Roaming\IwUNvHNy.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 6016Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -21213755684765971s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99890s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 4152Thread sleep count: 9863 > 30
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99780s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99666s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99505s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99343s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99234s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99123s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -99014s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98905s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98794s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98686s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98577s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98467s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98357s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98249s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98140s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -98027s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97921s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97810s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97700s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97593s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97479s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97368s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97249s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97139s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -97030s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96921s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96812s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96686s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96574s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96452s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96336s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96203s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -96093s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95984s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95874s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95765s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95656s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95546s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95437s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95326s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95218s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -95109s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -94999s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -94890s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -94777s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -94671s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -94559s >= -30000s
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe TID: 344Thread sleep time: -94453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 4908Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -16602069666338586s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5324Thread sleep count: 9738 > 30
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99640s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99531s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99421s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99301s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99156s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -99015s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98906s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98781s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98671s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98546s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98421s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98310s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98198s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -98077s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97828s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97718s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97593s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97473s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97356s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -97093s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96968s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96623s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96484s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96359s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96250s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96138s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -96023s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -95738s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -95623s >= -30000s
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exe TID: 5336Thread sleep time: -95416s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWindow / User API: threadDelayed 9863
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWindow / User API: threadDelayed 9738
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 100000
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99890
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99780
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99666
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99505
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99343
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99234
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99123
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 99014
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98905
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98794
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98686
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98577
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98467
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98357
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98249
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98140
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 98027
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97921
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97810
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97700
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97593
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97479
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97368
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97249
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97139
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 97030
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96921
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96812
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96686
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96574
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96452
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96336
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96203
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 96093
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95984
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95874
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95765
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95656
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95546
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95437
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95326
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 95109
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 94999
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 94890
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 94777
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 94671
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 94559
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeThread delayed: delay time: 94453
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 100000
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99859
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99750
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99640
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99531
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99421
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99301
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99156
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 99015
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98906
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98781
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98671
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98546
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98421
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98310
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98198
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 98077
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97953
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97828
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97718
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97593
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97473
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97356
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97203
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 97093
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96968
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96859
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96734
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96623
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96484
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96359
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96250
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96138
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 96023
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 95738
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 95623
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeThread delayed: delay time: 95416
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: IwUNvHNy.exe, 0000000E.00000002.522868815.0000000001504000.00000004.00000020.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000003.478235783.00000000014EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeCode function: 10_2_06955780 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeMemory written: C:\Users\user\AppData\Roaming\IwUNvHNy.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe {path}
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeProcess created: C:\Users\user\AppData\Roaming\IwUNvHNy.exe {path}
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Users\user\AppData\Roaming\IwUNvHNy.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Users\user\AppData\Roaming\IwUNvHNy.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IwUNvHNy.exe PID: 5060, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\IwUNvHNy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.525739728.0000000003164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.525329197.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IwUNvHNy.exe PID: 5060, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4269b20.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.4314970.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 5996, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe PID: 532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IwUNvHNy.exe PID: 5060, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Ingress Tool Transfer                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		Boot or Logon Initialization Scripts1
                Scheduled Task/Job                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		114
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information                		1
                Credentials in Registry                		1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Standard Port                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
                Software Packing                		NTDS211
                Security Software Discovery                		Distributed Component Object Model111
                Input Capture                		Scheduled Transfer2
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size Limits23
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common131
                Virtualization/Sandbox Evasion                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                Process Injection                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                System Network Configuration Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 756190 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 7 other signatures 2->51 7 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe 6 2->7         started        11 IwUNvHNy.exe 5 2->11         started        process3 file4 27 C:\Users\user\AppData\Roaming\IwUNvHNy.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp2885.tmp, XML 7->29 dropped 31 SecuriteInfo.com.W...18868.10449.exe.log, ASCII 7->31 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 May check the online IP address of the machine 7->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 13 SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe 15 3 7->13         started        17 schtasks.exe 1 7->17         started        61 Machine Learning detection for dropped file 11->61 63 Injects a PE file into a foreign processes 11->63 19 IwUNvHNy.exe 14 3 11->19         started        21 schtasks.exe 1 11->21         started        signatures5 process6 dnsIp7 33 strictfacilityservices.com 111.118.212.38, 49718, 49723, 587 PUBLIC-DOMAIN-REGISTRYUS India 13->33 35 mail.strictfacilityservices.com 13->35 43 2 other IPs or domains 13->43 65 Installs a global keyboard hook 13->65 23 conhost.exe 17->23         started        37 mail.strictfacilityservices.com 19->37 39 3.232.242.170, 443, 49720 AMAZON-AESUS United States 19->39 41 api.ipify.org 19->41 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->67 69 Tries to steal Mail credentials (via file / registry access) 19->69 71 Tries to harvest and steal ftp login credentials 19->71 73 Tries to harvest and steal browser information (history, passwords, etc) 19->73 25 conhost.exe 21->25         started        signatures8 process9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\IwUNvHNy.exe100%Joe Sandbox ML

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                10.0.SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                https://LwV7dxVvQwzS29UTCu.com0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://UrUbMY.com0%Avira URL Cloudsafe
                https://api.ipify.orgmail.strictfacilityservices.comaccounts0%Avira URL Cloudsafe
                http://mail.strictfacilityservices.com0%Avira URL Cloudsafe
                http://strictfacilityservices.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.ipify.org.herokudns.com
                		3.220.57.224
                		truefalse
                  		unknown
                  strictfacilityservices.com
                  		111.118.212.38
                  		truetrue
                    		unknown
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high
                      mail.strictfacilityservices.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://mail.strictfacilityservices.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537441042.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://UrUbMY.comIwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://LwV7dxVvQwzS29UTCu.comIwUNvHNy.exe, 0000000E.00000002.533988988.00000000033AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://strictfacilityservices.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.537562439.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.537961908.00000000033EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.orgmail.strictfacilityservices.comaccountsIwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.orgSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://fontfabrik.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiIwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fonts.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.309903707.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000B.00000002.420173402.000000000293A000.00000004.00000800.00020000.00000000.sdmp, IwUNvHNy.exe, 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comSecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe, 00000000.00000002.332440019.00000000071C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  3.232.242.170
                                                  		unknownUnited States
                                                  		14618AMAZON-AESUSfalse
                                                  111.118.212.38
                                                  		strictfacilityservices.comIndia
                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                  3.220.57.224
                                                  		api.ipify.org.herokudns.comUnited States
                                                  		14618AMAZON-AESUSfalse

                                                  General Information

                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                  Analysis ID:756190
                                                  Start date and time:2022-11-29 19:35:29 +01:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 41s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:17
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@12/5@8/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  19:36:46API Interceptor443x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe modified
                                                  19:36:53Task SchedulerRun new task: IwUNvHNy path: C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                                                  19:37:30API Interceptor111x Sleep call for process: IwUNvHNy.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IwUNvHNy.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Temp\tmp2885.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1653
                                                  Entropy (8bit):5.16002706959876
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3htn:cbha7JlNQV/rydbz9I3YODOLNdq3p
                                                  MD5:F40F87D29A87D92FDBAF4AB9EA2AD62E
                                                  SHA1:2CC0B2D5242FF42D741D4BE9D1F531B28B7AC654
                                                  SHA-256:8339BEE9CD4844E7B0203BEDA7E523D14BD3CC2CF5A9FF120AB8B308CAD3F72E
                                                  SHA-512:4DF148E8BCEBA1230798FF861827F115EBF6884B2F7EB83C9B0705CA7B81BF12C8A9DA40C175190D91DC2792CC93868B935654187DDD4023EF23833DB961A1FD
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

                                                  C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1653
                                                  Entropy (8bit):5.16002706959876
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3htn:cbha7JlNQV/rydbz9I3YODOLNdq3p
                                                  MD5:F40F87D29A87D92FDBAF4AB9EA2AD62E
                                                  SHA1:2CC0B2D5242FF42D741D4BE9D1F531B28B7AC654
                                                  SHA-256:8339BEE9CD4844E7B0203BEDA7E523D14BD3CC2CF5A9FF120AB8B308CAD3F72E
                                                  SHA-512:4DF148E8BCEBA1230798FF861827F115EBF6884B2F7EB83C9B0705CA7B81BF12C8A9DA40C175190D91DC2792CC93868B935654187DDD4023EF23833DB961A1FD
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

                                                  C:\Users\user\AppData\Roaming\IwUNvHNy.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):731648
                                                  Entropy (8bit):7.5267056901942135
                                                  Encrypted:false
                                                  SSDEEP:12288:EMFVoh7SJnnlJgcu34IjRN1T05AtGuFr5cE8LHWK:fFV7nAFrjn+5UAvL
                                                  MD5:65CF34490748F7924DB84DC043F5D81E
                                                  SHA1:1EA50942D4ACF0561BD6BCB3FE0195069EB5C259
                                                  SHA-256:96642679196D3F732718EEBF2E7970D7ECA03DDC4645B3F0292DB847ED82B24E
                                                  SHA-512:0366181FD6A174509B244521E01760116D664B15F0C61BA4DBE1D8C2B35FEBDCDF90836CD553361F0A972ACC1EE2477D3ADA30F9382DC2D895B12C3ACE80C55F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..c..............P..............<... ...@....@.. ....................................@..................................;..O....@.......................`......L...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B.................;......H.......................................................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r3..p~....o-...(......t$....+..*...0..&........(....r_..p~....o-...(......

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.5267056901942135
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  File size:731648
                                                  MD5:65cf34490748f7924db84dc043f5d81e
                                                  SHA1:1ea50942d4acf0561bd6bcb3fe0195069eb5c259
                                                  SHA256:96642679196d3f732718eebf2e7970d7eca03ddc4645b3f0292db847ed82b24e
                                                  SHA512:0366181fd6a174509b244521e01760116d664b15f0c61ba4dbe1d8c2b35febdcdf90836cd553361f0a972acc1ee2477d3ada30f9382dc2d895b12c3ace80c55f
                                                  SSDEEP:12288:EMFVoh7SJnnlJgcu34IjRN1T05AtGuFr5cE8LHWK:fFV7nAFrjn+5UAvL
                                                  TLSH:7FF46B9132B18573F4DF4279541871CC2D7DB543BAD6E20B6B7B3A4086029BFF6A8E12
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..c..............P..............<... ...@....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4b3c0a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x63861F21 [Tue Nov 29 15:02:57 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb3bb60x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x608.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb184c0x54.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xb1c100xb1e00False0.7931252196064652data7.533959618381255IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xb40000x6080x800False0.33349609375data3.4497386267724677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xb60000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xb40900x378data
                                                  RT_MANIFEST0xb44180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  192.168.2.6111.118.212.38497235872030171 11/29/22-19:38:19.561263TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49723587192.168.2.6111.118.212.38
                                                  192.168.2.6111.118.212.38497185872030171 11/29/22-19:37:32.174046TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49718587192.168.2.6111.118.212.38

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 19:37:07.584291935 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:07.584352016 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:07.584460974 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:07.676655054 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:07.676713943 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:07.981940985 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:07.982059002 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:07.986948967 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:07.986968040 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:07.987286091 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:08.115922928 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:09.107095003 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:09.107141018 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:09.254287958 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:09.254414082 CET443497133.220.57.224192.168.2.6
                                                  Nov 29, 2022 19:37:09.254643917 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:09.275145054 CET49713443192.168.2.63.220.57.224
                                                  Nov 29, 2022 19:37:27.280982018 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:27.559288979 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:27.559411049 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:28.572220087 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:28.572333097 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:29.863013029 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:29.869247913 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:30.148148060 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:30.150072098 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:30.429714918 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:30.430197001 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:30.751842976 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:31.260838985 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:31.261821985 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:31.541266918 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:31.541328907 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:31.541712999 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:31.860230923 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:31.893450022 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:31.893871069 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:32.172013044 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:32.172235012 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:32.174046040 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:32.174232006 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:32.174340963 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:32.174438953 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:32.454286098 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:32.454948902 CET58749718111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:37:32.508652925 CET49718587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:37:53.167459011 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:53.167522907 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:53.167608976 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:53.205972910 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:53.206012011 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:53.510446072 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:53.510565996 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:53.513940096 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:53.513962984 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:53.514383078 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:53.652631998 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:54.518997908 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:54.519059896 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:54.751689911 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:54.751791000 CET443497203.232.242.170192.168.2.6
                                                  Nov 29, 2022 19:37:54.752917051 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:37:54.754750013 CET49720443192.168.2.63.232.242.170
                                                  Nov 29, 2022 19:38:15.748650074 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:16.021739006 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:16.021903038 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:17.044811010 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:17.049279928 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:17.323196888 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:17.323652983 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:17.597578049 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:17.598759890 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:17.912106991 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:18.662144899 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:18.662529945 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:18.936058044 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:18.936109066 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:18.936378002 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:19.257188082 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:19.277188063 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:19.277587891 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:19.559030056 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:19.559258938 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:19.561263084 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:19.561371088 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:19.561435938 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:19.561502934 CET49723587192.168.2.6111.118.212.38
                                                  Nov 29, 2022 19:38:19.834079981 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:19.835743904 CET58749723111.118.212.38192.168.2.6
                                                  Nov 29, 2022 19:38:19.887628078 CET49723587192.168.2.6111.118.212.38

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 19:37:07.495767117 CET4944853192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:37:07.512861967 CET53494488.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:37:07.538335085 CET5908253192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:37:07.555747032 CET53590828.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:37:26.407497883 CET6322953192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:37:26.803889990 CET53632298.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:37:26.886347055 CET6253853192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:37:27.278209925 CET53625388.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:37:53.002229929 CET5153053192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:37:53.021419048 CET53515308.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:37:53.077909946 CET5612253192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:37:53.096793890 CET53561228.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:38:15.257229090 CET6160953192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:38:15.647279024 CET53616098.8.8.8192.168.2.6
                                                  Nov 29, 2022 19:38:15.719681025 CET5248153192.168.2.68.8.8.8
                                                  Nov 29, 2022 19:38:15.738940954 CET53524818.8.8.8192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Nov 29, 2022 19:37:07.495767117 CET192.168.2.68.8.8.80xf41eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.538335085 CET192.168.2.68.8.8.80xd51fStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:26.407497883 CET192.168.2.68.8.8.80x43b6Standard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:26.886347055 CET192.168.2.68.8.8.80xe34cStandard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.002229929 CET192.168.2.68.8.8.80x837bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.077909946 CET192.168.2.68.8.8.80xa76cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:38:15.257229090 CET192.168.2.68.8.8.80x3a2eStandard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:38:15.719681025 CET192.168.2.68.8.8.80xc385Standard query (0)mail.strictfacilityservices.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Nov 29, 2022 19:37:07.512861967 CET8.8.8.8192.168.2.60xf41eNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.512861967 CET8.8.8.8192.168.2.60xf41eNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.512861967 CET8.8.8.8192.168.2.60xf41eNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.512861967 CET8.8.8.8192.168.2.60xf41eNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.512861967 CET8.8.8.8192.168.2.60xf41eNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.555747032 CET8.8.8.8192.168.2.60xd51fNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.555747032 CET8.8.8.8192.168.2.60xd51fNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.555747032 CET8.8.8.8192.168.2.60xd51fNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.555747032 CET8.8.8.8192.168.2.60xd51fNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:07.555747032 CET8.8.8.8192.168.2.60xd51fNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:26.803889990 CET8.8.8.8192.168.2.60x43b6No error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:37:26.803889990 CET8.8.8.8192.168.2.60x43b6No error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:27.278209925 CET8.8.8.8192.168.2.60xe34cNo error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:37:27.278209925 CET8.8.8.8192.168.2.60xe34cNo error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.021419048 CET8.8.8.8192.168.2.60x837bNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.021419048 CET8.8.8.8192.168.2.60x837bNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.021419048 CET8.8.8.8192.168.2.60x837bNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.021419048 CET8.8.8.8192.168.2.60x837bNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.021419048 CET8.8.8.8192.168.2.60x837bNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.096793890 CET8.8.8.8192.168.2.60xa76cNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.096793890 CET8.8.8.8192.168.2.60xa76cNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.096793890 CET8.8.8.8192.168.2.60xa76cNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.096793890 CET8.8.8.8192.168.2.60xa76cNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:37:53.096793890 CET8.8.8.8192.168.2.60xa76cNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:38:15.647279024 CET8.8.8.8192.168.2.60x3a2eNo error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:38:15.647279024 CET8.8.8.8192.168.2.60x3a2eNo error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 19:38:15.738940954 CET8.8.8.8192.168.2.60xc385No error (0)mail.strictfacilityservices.comstrictfacilityservices.comCNAME (Canonical name)IN (0x0001)false
                                                  Nov 29, 2022 19:38:15.738940954 CET8.8.8.8192.168.2.60xc385No error (0)strictfacilityservices.com111.118.212.38A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • api.ipify.org

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Nov 29, 2022 19:37:29.863013029 CET58749718111.118.212.38192.168.2.6220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 18:37:29 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 19:37:29.869247913 CET49718587192.168.2.6111.118.212.38EHLO 927537
                                                  Nov 29, 2022 19:37:30.148148060 CET58749718111.118.212.38192.168.2.6250-bh-in-36.webhostbox.net Hello 927537 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 19:37:30.150072098 CET49718587192.168.2.6111.118.212.38AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
                                                  Nov 29, 2022 19:37:30.429714918 CET58749718111.118.212.38192.168.2.6334 UGFzc3dvcmQ6
                                                  Nov 29, 2022 19:37:31.260838985 CET58749718111.118.212.38192.168.2.6235 Authentication succeeded
                                                  Nov 29, 2022 19:37:31.261821985 CET49718587192.168.2.6111.118.212.38MAIL FROM:<accounts@strictfacilityservices.com>
                                                  Nov 29, 2022 19:37:31.541328907 CET58749718111.118.212.38192.168.2.6250 OK
                                                  Nov 29, 2022 19:37:31.541712999 CET49718587192.168.2.6111.118.212.38RCPT TO:<guc850155@gmail.com>
                                                  Nov 29, 2022 19:37:31.893450022 CET58749718111.118.212.38192.168.2.6250 Accepted
                                                  Nov 29, 2022 19:37:31.893871069 CET49718587192.168.2.6111.118.212.38DATA
                                                  Nov 29, 2022 19:37:32.172235012 CET58749718111.118.212.38192.168.2.6354 Enter message, ending with "." on a line by itself
                                                  Nov 29, 2022 19:37:32.174438953 CET49718587192.168.2.6111.118.212.38.
                                                  Nov 29, 2022 19:37:32.454948902 CET58749718111.118.212.38192.168.2.6250 OK id=1p05U4-002GFu-0G
                                                  Nov 29, 2022 19:38:17.044811010 CET58749723111.118.212.38192.168.2.6220-bh-in-36.webhostbox.net ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 18:38:16 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 19:38:17.049279928 CET49723587192.168.2.6111.118.212.38EHLO 927537
                                                  Nov 29, 2022 19:38:17.323196888 CET58749723111.118.212.38192.168.2.6250-bh-in-36.webhostbox.net Hello 927537 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 19:38:17.323652983 CET49723587192.168.2.6111.118.212.38AUTH login YWNjb3VudHNAc3RyaWN0ZmFjaWxpdHlzZXJ2aWNlcy5jb20=
                                                  Nov 29, 2022 19:38:17.597578049 CET58749723111.118.212.38192.168.2.6334 UGFzc3dvcmQ6
                                                  Nov 29, 2022 19:38:18.662144899 CET58749723111.118.212.38192.168.2.6235 Authentication succeeded
                                                  Nov 29, 2022 19:38:18.662529945 CET49723587192.168.2.6111.118.212.38MAIL FROM:<accounts@strictfacilityservices.com>
                                                  Nov 29, 2022 19:38:18.936109066 CET58749723111.118.212.38192.168.2.6250 OK
                                                  Nov 29, 2022 19:38:18.936378002 CET49723587192.168.2.6111.118.212.38RCPT TO:<guc850155@gmail.com>
                                                  Nov 29, 2022 19:38:19.277188063 CET58749723111.118.212.38192.168.2.6250 Accepted
                                                  Nov 29, 2022 19:38:19.277587891 CET49723587192.168.2.6111.118.212.38DATA
                                                  Nov 29, 2022 19:38:19.559258938 CET58749723111.118.212.38192.168.2.6354 Enter message, ending with "." on a line by itself
                                                  Nov 29, 2022 19:38:19.561502934 CET49723587192.168.2.6111.118.212.38.
                                                  Nov 29, 2022 19:38:19.835743904 CET58749723111.118.212.38192.168.2.6250 OK id=1p05Up-002Gde-Cs

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:19:36:26
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  Imagebase:0xcf0000
                                                  File size:731648 bytes
                                                  MD5 hash:65CF34490748F7924DB84DC043F5D81E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.316510086.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:8
                                                  Start time:19:36:52
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmp2885.tmp
                                                  Imagebase:0x960000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:9
                                                  Start time:19:36:52
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6da640000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:10
                                                  Start time:19:36:53
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x780000
                                                  File size:731648 bytes
                                                  MD5 hash:65CF34490748F7924DB84DC043F5D81E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.524293663.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000A.00000000.305776965.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.525329197.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:11
                                                  Start time:19:36:53
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                                                  Imagebase:0x3a0000
                                                  File size:731648 bytes
                                                  MD5 hash:65CF34490748F7924DB84DC043F5D81E
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:12
                                                  Start time:19:37:38
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwUNvHNy" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CA.tmp
                                                  Imagebase:0x960000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:13
                                                  Start time:19:37:38
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6da640000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:14
                                                  Start time:19:37:39
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\IwUNvHNy.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xcf0000
                                                  File size:731648 bytes
                                                  MD5 hash:65CF34490748F7924DB84DC043F5D81E
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.525739728.0000000003164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.524696684.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  No disassembly