Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

AV Detection

Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "laju.varghese@grupocatqla.com", "Password": ")Ivlmuj5"}

Source: C:\Users\user\AppData\Roaming\lnYkIr.exe

ReversingLabs: Detection: 28%

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\AppData\Roaming\lnYkIr.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Joe Sandbox ML: detected

Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: u2R6%?_S
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: $%5'$:
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: `R cvJW&H(D(WAG
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: cSXU]QyT~SXU]LyTcSEU]QyIcSXU]QyTcSXU
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: 0=1 ?"6
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: vFCY,)-
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: uZ_C)
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: rUB]TYSE

Compliance

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sKdvLcn.pdb source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr
Source:	Binary string: sKdvLcn.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr

Software Vulnerabilities

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 4x nop then jmp 0B7F01F1h		0_2_0B7F0422
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 4x nop then jmp 0768EF19h		10_2_0768F14A

Networking

Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49729 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.5:49729 -> 208.91.198.143:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.0000000001390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingCi
Source: lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingyi;
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.0000000001390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.usertru
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2145030822.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2186008382.0000000003228000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, J4qms1IPBw.cs

.Net Code: _4SbXE

System Summary

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.lnYkIr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.2df41e8.5.raw.unpack, Architectural.cs

Large array initialization: : array initializer size 17982

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B79E8		0_2_052B79E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B03A8		0_2_052B03A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B0D68		0_2_052B0D68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B0D59		0_2_052B0D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B79D8		0_2_052B79D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E9798		0_2_070E9798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EB6D2		0_2_070EB6D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EB6E0		0_2_070EB6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EA440		0_2_070EA440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EA008		0_2_070EA008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E0C99		0_2_070E0C99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E0CA8		0_2_070E0CA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E9BC2		0_2_070E9BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E9BD0		0_2_070E9BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F0040		0_2_0B7F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F0040		0_2_0B7F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F0007		0_2_0B7F0007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030DC7B0		9_2_030DC7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D4AC0		9_2_030D4AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030DD0E7		9_2_030DD0E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D3EA8		9_2_030D3EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D41F0		9_2_030D41F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_06FDDE10		9_2_06FDDE10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_06FD5980		9_2_06FD5980
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_01764B39		10_2_01764B39
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768ED68		10_2_0768ED68
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07689798		10_2_07689798
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768B6E0		10_2_0768B6E0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768B6D3		10_2_0768B6D3
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768A440		10_2_0768A440
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768A008		10_2_0768A008
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768ED59		10_2_0768ED59
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07680CA8		10_2_07680CA8
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07680C99		10_2_07680C99
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07689BC3		10_2_07689BC3
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07689BD0		10_2_07689BD0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768ED68		10_2_0768ED68
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01334AC0		14_2_01334AC0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_0133D0E7		14_2_0133D0E7
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01333EA8		14_2_01333EA8
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_013341F0		14_2_013341F0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_069FDE10		14_2_069FDE10
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_069F5980		14_2_069F5980

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2148269661.0000000007130000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2145030822.0000000002E18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3e301610-77d9-4d01-8699-0e498c12f7fa.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000000.2100144872.000000000098C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesKdvLcn.exe" vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2142658019.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3e301610-77d9-4d01-8699-0e498c12f7fa.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366131390.0000000001358000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Binary or memory string: OriginalFilenamesKdvLcn.exe" vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: msasn1.dll

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.lnYkIr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lnYkIr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, Lds5plxAPDj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, LZYJybC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, wDxPSW1p.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, E0w8WLnyggK.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, ZBSJHga2buE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, M4oIYVa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, B54uhvmGLlyX4pN6ow.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, B54uhvmGLlyX4pN6ow.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File created: C:\Users\user\AppData\Roaming\lnYkIr.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1084:120:WilError_03
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Mutant created: \Sessions\1\BaseNamedObjects\UlgJvs
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9C71.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: sKdvLcn.pdb source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr
Source:	Binary string: sKdvLcn.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr

Data Obfuscation

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	.Net Code: bKmRjtHvbX System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	.Net Code: bKmRjtHvbX System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.2df41e8.5.raw.unpack, Ar.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_02BFA448 pushad ; ret		0_2_02BFA449
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F37DD push FFFFFF8Bh; iretd		0_2_0B7F37DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D0708 push eax; ret		9_2_030D0712
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D0718 push eax; ret		9_2_030D0722
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D0728 push eax; ret		9_2_030D0732
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D06C8 push eax; ret		9_2_030D0702
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_06FD8FF0 pushfd ; retf		9_2_06FD8FFD
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0176A44A push eax; ret		10_2_0176A451
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0176A448 pushad ; ret		10_2_0176A449
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0A6824B5 push FFFFFF8Bh; iretd		10_2_0A6824B7
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330718 push eax; ret		14_2_01330722
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330708 push eax; ret		14_2_01330712
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330698 push eax; ret		14_2_01330712
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330698 push eax; ret		14_2_01330732
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_013306C8 push eax; ret		14_2_01330702

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Static PE information: section name: .text entropy: 7.900652138585597
Source: lnYkIr.exe.0.dr	Static PE information: section name: .text entropy: 7.900652138585597

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, Y2xhaHzpVWr0qPqPe5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roQ0oNhaND', 'lcA0r2LlDp', 'JmR0BjiLGy', 'r7j06otRwI', 'Rld0vHVUtW', 'u2W00jaLyM', 'vUR0VAneCa'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, uSWedTON0pZsaQDlE7.cs	High entropy of concatenated method names: 'ToString', 'iZ0BiQxM4I', 'q9fBW589D3', 'ClfBK3sN1E', 'voJBFrTTpT', 'dWcBtSjELU', 'bZFBkQ4i6N', 'r9gBLrNNRg', 'TrvB3jjSVx', 'sHnB7jH9XC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, elDDp3HPIobioVFnqi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YwKpwJPng2', 'S17pZGW9R2', 'I5bpzOhQuE', 'sDcUagCe6e', 'odeU4Rf2mD', 'rxXUpLgTRe', 'EssUUmSCYJ', 'bCWWOwWwyoxWFlxFFKx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, M4CJD2cOceSjToPAu1.cs	High entropy of concatenated method names: 'Dispose', 'xhe4weBFJG', 'j8mpWwc3T2', 'cMP88Ct8gZ', 'p0R4ZcEy9O', 'BwT4zCDIhE', 'ProcessDialogKey', 'ffYpa9cqyC', 'LGFp4gxtdi', 'fSIppoAiv9'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AcxjPt4arkHdo90ERvm.cs	High entropy of concatenated method names: 'WHZ0Y7UAYp', 'jrI0DX47wT', 't560jFmNWg', 'Tdf0GVBV7U', 'E3V0Tm4ohL', 'dF00ut0IWl', 'pCS0beK32v', 'gfV0mi2gdM', 'JJh0fAhUNL', 'kIW0ximueC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, B54uhvmGLlyX4pN6ow.cs	High entropy of concatenated method names: 'km7c9pvgod', 'uJQc1iuFU4', 'KY3cOURNCJ', 'SQ8c8g1akg', 'T3mce2YRgE', 'nhvcPQCilT', 'QJEcAHfxIT', 'inHcCRUX4X', 'tM8cwj5Tli', 'YGYcZPKRTh'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, fRACX4xPO18mSo9ekl.cs	High entropy of concatenated method names: 'Fev5TXYnxG', 'aYj5b2WIDw', 'JKtHKxoYAF', 'VbhHFwxNwF', 'hOYHtZK4TB', 'bYSHk2pKrb', 'EwgHLaLNrR', 'B63H39SR9M', 'OriH7W8Nnt', 'f7FHQUvLyg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, x9cqyCwLGFgxtdilSI.cs	High entropy of concatenated method names: 'XcRvghc9G9', 'pTRvW0XQGp', 'eifvKRW8v1', 'JTEvFmrXYI', 'L3dv9mcStw', 'dLZvtuncme', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, zXIgiB4p7fQ4TwLhUoH.cs	High entropy of concatenated method names: 'rp6VYRi78Y', 'UtQVDMbRuX', 'FBCVj9GjLv', 'CrENuxqmAvX5aN6qVXI', 'kB9XioqlMlTn2Bnlx4O', 'j3hP9mqU4NI7DPrbyEn', 'whYvyGqHoFbWlwooZIg', 'AsjXpGqhchxZPA5MwYJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, uOikXZRACP8fm5xu2c.cs	High entropy of concatenated method names: 'aTT4X54uhv', 'ALl4yyX4pN', 'LRY4n2JI2y', 'mOJ42NcRAC', 'o9e4rklstO', 'wZ64BREl3C', 'gcQpHNSptCWOA1KF2T', 'IMjPbHXN7HF8MSfHvM', 'DDqnfhK3LoRQZO0GN3', 's7n440L0DI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, TR2kGu4UvRae0cmEBUc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kvSV9ZgSr9', 'syAV19mfbk', 'wLEVOhgnGP', 'yd4V89D8po', 'ETTVeuKvZc', 'yppVPVZwtT', 'Ah2VAbIqRm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, nAiv9FZhRaIO79efY1.cs	High entropy of concatenated method names: 'gRN04fHUox', 'XGV0UkMy5P', 'kxH0RKSDmf', 'cQZ0lfhQ8E', 'JRW0cQOaaI', 'vEa0557Qof', 'rSE0q5rF74', 'PFHvA7gNGu', 'lZ4vCja3i0', 'FZavwxALT8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, Pp43I3Lx3ZeQKe9E6s.cs	High entropy of concatenated method names: 'u6VXlU1R5c', 'J8nXHmrjgR', 'XR5Xqa2Wv1', 'RT8qZIhcVO', 'HEwqzFlFYv', 'EWSXaCQ2bt', 'wMQX4Bj2m7', 'A2kXpUOqa8', 'IvHXUL3aht', 'ho4XRXPJEB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, JLNnh3fRY2JI2y2OJN.cs	High entropy of concatenated method names: 'A1AHGKQuBb', 'znyHu9wWGF', 'nXyHmjocTE', 'NOZHfjKQwo', 'fTeHrCR8pG', 'aHHHBh0ugJ', 'iB5H6VcOWw', 'hL4HvLX7Oh', 'u0dH042vfl', 'otUHVhaswq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, on1bXYpw5Dbt7hdRmA.cs	High entropy of concatenated method names: 'jI5jAjCsp', 'n4MGAO8y8', 'lKLu3MNcl', 'zgebgMICY', 'N9xfdKXkw', 'sitx1i0Ll', 'wK3r1VbqTIt5tiuQW8', 'SQrl8eM5xUsxDs6ssa', 'VLMv7dgJ3', 'o4eVT5g5a'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, sRcEy9COTwTCDIhElf.cs	High entropy of concatenated method names: 'eJYvlbRXO3', 'ifQvcQRBXp', 'iJfvHoAOC8', 'CUNv5Qn3OQ', 'Y1bvqBKdpY', 'pCbvX0TrET', 'ss7vyYGxcH', 'ppBvMvj5nX', 'HFpvneeUBa', 'WAxv2LNKH5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, MpRDFV9vBfpQsVwLWj.cs	High entropy of concatenated method names: 'aqFrQfQgKJ', 'kZErdK5u6F', 'KgYr9fmW8V', 'Y1pr15Iaa4', 'Oc1rWdX656', 'MydrKEYhBH', 'HQIrFgDEd0', 'P6urtEsei6', 'Gl0rk2I74F', 'WsPrL85ksI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, utOIZ6gREl3CLe8Wuc.cs	High entropy of concatenated method names: 'qbSqNrJ7hr', 'RoRqc0CcKI', 'RU4q5LUNF1', 'TUWqXx9ef6', 'JSVqyrfu5U', 'kNG5etL0tI', 'B295PpbTtm', 'Jxm5AFjrh8', 'gSP5Cdhj5c', 'MNs5whkM6i'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, XfKWYy7qoSjnocn2Mt.cs	High entropy of concatenated method names: 'O94XYZHcjr', 'X47XD1YLTJ', 'YLHXjfOs2r', 'FMVXGT1p6M', 'VyRXT44A0r', 'Q5xXuvGTdW', 'B9yXbYtbF3', 'GVvXmbeyAZ', 'kcWXf8hTTc', 'R9uXx8tKPn'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, FRpcSaPxFAS6APJwiL.cs	High entropy of concatenated method names: 'vZt6C9cFrE', 'F4J6ZmrGnO', 'NnbvatH592', 'hWPv44IDVX', 'G576iY7Bir', 'r7B6dtrD59', 'FsS6ErAqvc', 'vfN69Dl8MI', 'oYj61ddqAd', 'awF6OnjUEx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	High entropy of concatenated method names: 'adFUNab2jZ', 'WcnUlluGJ4', 'y7nUcJZChw', 'W9WUHKPyNM', 'vH5U5c3PMp', 'AnvUq5kUVi', 'vQgUXaYRU9', 'Q0uUyj96IC', 'S5qUMloObW', 'mhAUnu9DPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, f1PYmeE4fTIbqTOcMr.cs	High entropy of concatenated method names: 'bSQomyY0Rs', 'zyuoftb2np', 'DdLogIanfF', 'WFfoWSOW13', 'HEuoFkuIsC', 'JKDotqgu6i', 'rPQoLF19BS', 'gVso3BvOH6', 'oIUoQYeuAo', 'djCoi2l0ts'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, Y2xhaHzpVWr0qPqPe5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roQ0oNhaND', 'lcA0r2LlDp', 'JmR0BjiLGy', 'r7j06otRwI', 'Rld0vHVUtW', 'u2W00jaLyM', 'vUR0VAneCa'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, uSWedTON0pZsaQDlE7.cs	High entropy of concatenated method names: 'ToString', 'iZ0BiQxM4I', 'q9fBW589D3', 'ClfBK3sN1E', 'voJBFrTTpT', 'dWcBtSjELU', 'bZFBkQ4i6N', 'r9gBLrNNRg', 'TrvB3jjSVx', 'sHnB7jH9XC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, elDDp3HPIobioVFnqi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YwKpwJPng2', 'S17pZGW9R2', 'I5bpzOhQuE', 'sDcUagCe6e', 'odeU4Rf2mD', 'rxXUpLgTRe', 'EssUUmSCYJ', 'bCWWOwWwyoxWFlxFFKx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, M4CJD2cOceSjToPAu1.cs	High entropy of concatenated method names: 'Dispose', 'xhe4weBFJG', 'j8mpWwc3T2', 'cMP88Ct8gZ', 'p0R4ZcEy9O', 'BwT4zCDIhE', 'ProcessDialogKey', 'ffYpa9cqyC', 'LGFp4gxtdi', 'fSIppoAiv9'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AcxjPt4arkHdo90ERvm.cs	High entropy of concatenated method names: 'WHZ0Y7UAYp', 'jrI0DX47wT', 't560jFmNWg', 'Tdf0GVBV7U', 'E3V0Tm4ohL', 'dF00ut0IWl', 'pCS0beK32v', 'gfV0mi2gdM', 'JJh0fAhUNL', 'kIW0ximueC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, B54uhvmGLlyX4pN6ow.cs	High entropy of concatenated method names: 'km7c9pvgod', 'uJQc1iuFU4', 'KY3cOURNCJ', 'SQ8c8g1akg', 'T3mce2YRgE', 'nhvcPQCilT', 'QJEcAHfxIT', 'inHcCRUX4X', 'tM8cwj5Tli', 'YGYcZPKRTh'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, fRACX4xPO18mSo9ekl.cs	High entropy of concatenated method names: 'Fev5TXYnxG', 'aYj5b2WIDw', 'JKtHKxoYAF', 'VbhHFwxNwF', 'hOYHtZK4TB', 'bYSHk2pKrb', 'EwgHLaLNrR', 'B63H39SR9M', 'OriH7W8Nnt', 'f7FHQUvLyg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, x9cqyCwLGFgxtdilSI.cs	High entropy of concatenated method names: 'XcRvghc9G9', 'pTRvW0XQGp', 'eifvKRW8v1', 'JTEvFmrXYI', 'L3dv9mcStw', 'dLZvtuncme', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, zXIgiB4p7fQ4TwLhUoH.cs	High entropy of concatenated method names: 'rp6VYRi78Y', 'UtQVDMbRuX', 'FBCVj9GjLv', 'CrENuxqmAvX5aN6qVXI', 'kB9XioqlMlTn2Bnlx4O', 'j3hP9mqU4NI7DPrbyEn', 'whYvyGqHoFbWlwooZIg', 'AsjXpGqhchxZPA5MwYJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, uOikXZRACP8fm5xu2c.cs	High entropy of concatenated method names: 'aTT4X54uhv', 'ALl4yyX4pN', 'LRY4n2JI2y', 'mOJ42NcRAC', 'o9e4rklstO', 'wZ64BREl3C', 'gcQpHNSptCWOA1KF2T', 'IMjPbHXN7HF8MSfHvM', 'DDqnfhK3LoRQZO0GN3', 's7n440L0DI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, TR2kGu4UvRae0cmEBUc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kvSV9ZgSr9', 'syAV19mfbk', 'wLEVOhgnGP', 'yd4V89D8po', 'ETTVeuKvZc', 'yppVPVZwtT', 'Ah2VAbIqRm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, nAiv9FZhRaIO79efY1.cs	High entropy of concatenated method names: 'gRN04fHUox', 'XGV0UkMy5P', 'kxH0RKSDmf', 'cQZ0lfhQ8E', 'JRW0cQOaaI', 'vEa0557Qof', 'rSE0q5rF74', 'PFHvA7gNGu', 'lZ4vCja3i0', 'FZavwxALT8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, Pp43I3Lx3ZeQKe9E6s.cs	High entropy of concatenated method names: 'u6VXlU1R5c', 'J8nXHmrjgR', 'XR5Xqa2Wv1', 'RT8qZIhcVO', 'HEwqzFlFYv', 'EWSXaCQ2bt', 'wMQX4Bj2m7', 'A2kXpUOqa8', 'IvHXUL3aht', 'ho4XRXPJEB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, JLNnh3fRY2JI2y2OJN.cs	High entropy of concatenated method names: 'A1AHGKQuBb', 'znyHu9wWGF', 'nXyHmjocTE', 'NOZHfjKQwo', 'fTeHrCR8pG', 'aHHHBh0ugJ', 'iB5H6VcOWw', 'hL4HvLX7Oh', 'u0dH042vfl', 'otUHVhaswq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, on1bXYpw5Dbt7hdRmA.cs	High entropy of concatenated method names: 'jI5jAjCsp', 'n4MGAO8y8', 'lKLu3MNcl', 'zgebgMICY', 'N9xfdKXkw', 'sitx1i0Ll', 'wK3r1VbqTIt5tiuQW8', 'SQrl8eM5xUsxDs6ssa', 'VLMv7dgJ3', 'o4eVT5g5a'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, sRcEy9COTwTCDIhElf.cs	High entropy of concatenated method names: 'eJYvlbRXO3', 'ifQvcQRBXp', 'iJfvHoAOC8', 'CUNv5Qn3OQ', 'Y1bvqBKdpY', 'pCbvX0TrET', 'ss7vyYGxcH', 'ppBvMvj5nX', 'HFpvneeUBa', 'WAxv2LNKH5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, MpRDFV9vBfpQsVwLWj.cs	High entropy of concatenated method names: 'aqFrQfQgKJ', 'kZErdK5u6F', 'KgYr9fmW8V', 'Y1pr15Iaa4', 'Oc1rWdX656', 'MydrKEYhBH', 'HQIrFgDEd0', 'P6urtEsei6', 'Gl0rk2I74F', 'WsPrL85ksI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, utOIZ6gREl3CLe8Wuc.cs	High entropy of concatenated method names: 'qbSqNrJ7hr', 'RoRqc0CcKI', 'RU4q5LUNF1', 'TUWqXx9ef6', 'JSVqyrfu5U', 'kNG5etL0tI', 'B295PpbTtm', 'Jxm5AFjrh8', 'gSP5Cdhj5c', 'MNs5whkM6i'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, XfKWYy7qoSjnocn2Mt.cs	High entropy of concatenated method names: 'O94XYZHcjr', 'X47XD1YLTJ', 'YLHXjfOs2r', 'FMVXGT1p6M', 'VyRXT44A0r', 'Q5xXuvGTdW', 'B9yXbYtbF3', 'GVvXmbeyAZ', 'kcWXf8hTTc', 'R9uXx8tKPn'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, FRpcSaPxFAS6APJwiL.cs	High entropy of concatenated method names: 'vZt6C9cFrE', 'F4J6ZmrGnO', 'NnbvatH592', 'hWPv44IDVX', 'G576iY7Bir', 'r7B6dtrD59', 'FsS6ErAqvc', 'vfN69Dl8MI', 'oYj61ddqAd', 'awF6OnjUEx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	High entropy of concatenated method names: 'adFUNab2jZ', 'WcnUlluGJ4', 'y7nUcJZChw', 'W9WUHKPyNM', 'vH5U5c3PMp', 'AnvUq5kUVi', 'vQgUXaYRU9', 'Q0uUyj96IC', 'S5qUMloObW', 'mhAUnu9DPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, f1PYmeE4fTIbqTOcMr.cs	High entropy of concatenated method names: 'bSQomyY0Rs', 'zyuoftb2np', 'DdLogIanfF', 'WFfoWSOW13', 'HEuoFkuIsC', 'JKDotqgu6i', 'rPQoLF19BS', 'gVso3BvOH6', 'oIUoQYeuAo', 'djCoi2l0ts'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.70d0000.13.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.30790cc.3.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File created: C:\Users\user\AppData\Roaming\lnYkIr.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 1300000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 2DD0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 2C60000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 8D90000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 71C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 9E90000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: AE90000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 30D0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 3230000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 5230000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 1760000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 31E0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 51E0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 8BF0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 9BF0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 8BF0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 1330000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 2BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 29A0000 memory reserve | memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5931			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5307			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Window / User API: threadDelayed 4403			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Window / User API: threadDelayed 4634			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Window / User API: threadDelayed 4938
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Window / User API: threadDelayed 931

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 2940	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -23058430092136925s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7520	Thread sleep count: 4403 > 30			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99875s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99745s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99638s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7520	Thread sleep count: 4634 > 30			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99531s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99418s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99311s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99203s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99093s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98984s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98874s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98765s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98642s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98389s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98281s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98171s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98062s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97952s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97843s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97734s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97624s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97390s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97280s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97171s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97062s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96952s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96843s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96734s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96624s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96499s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96324s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96218s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96109s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95890s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95781s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95671s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95562s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95453s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95343s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95234s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95125s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95015s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7828	Thread sleep count: 4938 > 30
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7828	Thread sleep count: 931 > 30
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99782s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99657s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98702s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98138s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97998s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97891s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97782s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97657s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97532s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97313s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97188s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97063s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -96938s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -96813s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -96703s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 100000			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99875			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99745			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99638			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99531			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99418			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99311			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99203			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99093			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98984			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98874			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98765			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98642			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98500			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98389			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98281			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98171			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98062			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97952			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97843			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97734			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97624			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97500			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97390			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97280			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97171			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97062			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96952			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96843			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96734			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96624			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96499			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96324			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96218			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96109			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96000			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95890			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95781			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95671			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95562			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95453			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95343			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95234			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95125			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95015			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99782
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99657
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99047
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98702
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98138
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97998
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97891
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97782
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97657
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97532
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97422
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97313
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97188
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97063
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 96938
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 96813
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 96703
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477

Source: lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Code function: 9_2_030D70A8 CheckRemoteDebuggerPresent,

9_2_030D70A8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory written: C:\Users\user\AppData\Roaming\lnYkIr.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Users\user\AppData\Roaming\lnYkIr.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Users\user\AppData\Roaming\lnYkIr.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3368803671.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003287000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7708, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365723059.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7708, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3368803671.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003287000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7708, type: MEMORYSTR