Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Analysis ID: 1543577
MD5: 32bbe58d2336cd18c22d221a3836bd50
SHA1: 7b559b7160fa1f0de211afd3dcb81a41a2a7fd89
SHA256: 066e985867d56271776ab61510202ffdd1bec246fc15dd38dd17a38223d50d40
Tags: AveMariaRATexe
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Ave Maria, AveMariaRAT, avemaria Information stealer which uses AutoIT for wrapping.
  • Anunak
 https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
Name Description Attribution Blogpost URLs Link
UACMe A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

AV Detection
barindex
Found malware configuration
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "wznne1.duckdns.org", "port": 63196, "Proxy Port": 0}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Virustotal: Detection: 39% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Virustotal: Detection: 39% Perma Link
Yara detected AveMaria stealer
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rRQnnfB.exe PID: 7220, type: MEMORYSTR
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: fFdw.pdb source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr
Source: Binary string: fFdw.pdbSHA256TFB source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: wznne1.duckdns.org
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1869611688.000000000279F000.00000004.00000800.00020000.00000000.sdmp, rRQnnfB.exe, 0000000D.00000002.1918659052.0000000002A69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883579784.0000000005070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1883842871.0000000006772000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Installs a raw input device (often for capturing keystrokes)
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_886a90b9-2

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08706780 NtQueryInformationProcess, 0_2_08706780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08706CA0 NtQueryInformationProcess, 0_2_08706CA0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB6780 NtQueryInformationProcess, 13_2_06CB6780
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB6C58 NtQueryInformationProcess, 13_2_06CB6C58
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_0088EF04 0_2_0088EF04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_06F573B8 0_2_06F573B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_06F51EA8 0_2_06F51EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_06F51E98 0_2_06F51E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_06F515D0 0_2_06F515D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_06F51198 0_2_06F51198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_087028D0 0_2_087028D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_087068A4 0_2_087068A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08703BA0 0_2_08703BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08708C20 0_2_08708C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08700040 0_2_08700040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_0870F4FA 0_2_0870F4FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08705870 0_2_08705870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_087028C0 0_2_087028C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08705880 0_2_08705880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_0870F980 0_2_0870F980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08703B90 0_2_08703B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08708C10 0_2_08708C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08705CB8 0_2_08705CB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08706E28 0_2_08706E28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08708EB0 0_2_08708EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08708EA0 0_2_08708EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Code function: 0_2_08706178 0_2_08706178
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_0281EF04 13_2_0281EF04
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_02986568 13_2_02986568
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_02981198 13_2_02981198
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_02981EA8 13_2_02981EA8
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_02981EA3 13_2_02981EA3
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_029815D0 13_2_029815D0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_04FA7768 13_2_04FA7768
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_04FA0040 13_2_04FA0040
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_04FA001C 13_2_04FA001C
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_04FA7740 13_2_04FA7740
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB0040 13_2_06CB0040
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB8C20 13_2_06CB8C20
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB3BA0 13_2_06CB3BA0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB28D0 13_2_06CB28D0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB68A4 13_2_06CB68A4
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBF5A7 13_2_06CBF5A7
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB6178 13_2_06CB6178
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB8EA0 13_2_06CB8EA0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB8EB0 13_2_06CB8EB0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB6E28 13_2_06CB6E28
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB5CB8 13_2_06CB5CB8
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB8C10 13_2_06CB8C10
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB3B90 13_2_06CB3B90
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB28C0 13_2_06CB28C0
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB5880 13_2_06CB5880
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB2898 13_2_06CB2898
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CB5870 13_2_06CB5870
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBF9E0 13_2_06CBF9E0
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1868545597.00000000008EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1884778433.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000000.1821904359.0000000000266000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefFdw.exe( vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Binary or memory string: OriginalFilenamefFdw.exe( vs SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rRQnnfB.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CVeAIRqKVAUjENZeFc.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CVeAIRqKVAUjENZeFc.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CVeAIRqKVAUjENZeFc.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@35/15@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe File created: C:\Users\user\AppData\Roaming\rRQnnfB.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Mutant created: \Sessions\1\BaseNamedObjects\BZvfDvpVAjvktJhjnBq
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe File created: C:\Users\user\AppData\Local\Temp\tmpE51C.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Virustotal: Detection: 39%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\rRQnnfB.exe C:\Users\user\AppData\Roaming\rRQnnfB.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: fFdw.pdb source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr
Source: Binary string: fFdw.pdbSHA256TFB source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, rRQnnfB.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs .Net Code: WFnrnxulDq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.86d0000.5.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs .Net Code: WFnrnxulDq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.35c0b90.2.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs .Net Code: WFnrnxulDq System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_02984982 pushad ; retf 13_2_02984983
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_029857A1 pushfd ; retf 0006h 13_2_029857A2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_02985760 pushfd ; retf 0006h 13_2_02985762
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_04FA5A52 push edx; ret 13_2_04FA5A58
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_04FA5A32 push edx; ret 13_2_04FA5A33
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE649 push esi; retf 0006h 13_2_06CBE64A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE7A9 push edi; retf 0006h 13_2_06CBE7AA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE7B1 push edi; retf 0006h 13_2_06CBE7B2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE468 push ebp; retf 0006h 13_2_06CBE46A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE5C0 push esi; retf 0006h 13_2_06CBE5C2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE049 push edx; retf 0006h 13_2_06CBE04A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE071 push edx; retf 0006h 13_2_06CBE072
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE1B1 push ebx; retf 0006h 13_2_06CBE1B2
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE178 push ebx; retf 0006h 13_2_06CBE17A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE101 push ebx; retf 0006h 13_2_06CBE102
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBDED9 push ecx; retf 0006h 13_2_06CBDEDA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBDE68 push ecx; retf 0006h 13_2_06CBDE6A
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBDFB8 push edx; retf 0006h 13_2_06CBDFBA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBDF4F push ecx; retf 0006h 13_2_06CBDF52
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBDCB9 push eax; retf 0006h 13_2_06CBDCBA
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBED90 pushad ; retf 0006h 13_2_06CBED92
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Code function: 13_2_06CBE84F push edi; retf 0006h 13_2_06CBE852
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Static PE information: section name: .text entropy: 7.890111172644623
Source: rRQnnfB.exe.0.dr Static PE information: section name: .text entropy: 7.890111172644623
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, wRS7JdEQI6RiJa9NhS.cs High entropy of concatenated method names: 'qGsqacsCfa', 'AonqycRv3C', 'tVXFxbJhgY', 'lAxFQtROi7', 'tbEFfCUhV9', 'M7rFY0hTdP', 'omUFCwpve7', 'DwvFE4vfDq', 'oHMFmPIHgL', 'N9DFhPow6L'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, tt6vKJoVZYcrI4oodB.cs High entropy of concatenated method names: 'fnW9jDgwWr', 'Rol9XXhdMy', 'gxD9rxRkin', 'iZq9Zu9I6u', 'Rtj9dCSlyu', 'wqs9q8KF0i', 'Xw491VDD5J', 'sbxD3JhUA6', 'LwSDoRe3b7', 'CBuDKoHiNJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, SlJvIeZNIyCwQr5pjh.cs High entropy of concatenated method names: 'OCxnxMceH', 'tCeMKGdXv', 'r6JGxNOn2', 'dvyyPW5nS', 'VrE7kfmqc', 'rT1wFSFpg', 'ldoOGCJpscCShvlEiB', 'q2Y7oZ6yyIVnHsEqIV', 'a3dDvv0XA', 'HV7lKJ14W'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, cAadsMdP0P3JYQkDOD.cs High entropy of concatenated method names: 'xgM1BHOu5j', 'zQP1dvZiNj', 'DwS1qRunYR', 'dj11TYf3Jn', 'ReN12uAVD5', 'pfBqWa94ga', 'b48qt3xVMX', 'KZ9q3Iu0SC', 'sCWqoZrA7H', 'cgaqK6rSPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, TQtneES6krZtUT94TX.cs High entropy of concatenated method names: 'ToString', 'VRosH0FTyp', 'rg1sSZxsr4', 'fEjsxUR4mW', 'wpxsQL631s', 'ALtsfMBk8M', 'MyxsYvEObE', 'QQjsCnSfnh', 'Q7isE48Hn4', 'Af9smVBvFS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, s6ncy1Lw04bCpVC7if.cs High entropy of concatenated method names: 'Dispose', 'oNSjKA5elf', 'XlovS6YUkF', 'itW55sLOdM', 'h4Lj8cBljy', 'DuGjz5GgxS', 'ProcessDialogKey', 'kWovcuBdgh', 'rr5vjisbjM', 'iUfvvKAGYK'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, oaa30fNJAoUh5TUfeuk.cs High entropy of concatenated method names: 'Pf996KyViH', 'yfd9ikf16g', 'DhX9nWTCM5', 'YJ79M5Emnb', 'Tmm9anHg0w', 'yUT9GRO5aQ', 'W8j9y5GXK2', 'SxX9N8jNAQ', 'Re397XTGyK', 'KJE9wvEL2t'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, NXXgJGNZk0xKRQAS8QG.cs High entropy of concatenated method names: 'Sofl6qPXE1', 'TgpliIg4B1', 'TBKlnJU3AU', 'eRbItx8zgOZywHM7d3r', 'bNWcyMMbpQGVakAUR7y', 'S4ijp9M4EsdKDAKQDiN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, Fvn8m7tuOPdvJ4jDnZ.cs High entropy of concatenated method names: 'wEHT6iyD3M', 'pViTiPZRa5', 'CuwTn6KKZt', 'wRxTMmyUxk', 'bHaTannbOK', 'HU3TGnWPLV', 'eucTyxqB8X', 'KcsTNBIkgP', 'En0T7yuVRN', 'qLqTwNTaIU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, yR88jQMAKhKEMBS7Qu.cs High entropy of concatenated method names: 'IHqRhH8bkF', 'oScRkjoqAO', 'WQNRpEeLxX', 'ltXRJMYboi', 'A8aRSWomNG', 'vJhRx61oo5', 'InIRQEV7JH', 'hxwRfTLoOh', 'o1kRYZT8kJ', 'ljHRCdKuv3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, oeey8gH5TTgCq9FdMc.cs High entropy of concatenated method names: 'C6HjTs83ZJ', 'U4Ej22xPyc', 'VinjPejMWV', 'E8uj4Sb2b2', 'IigjRX8Py7', 'ckRjs4pxBQ', 'PEJqXgPviLpQLeEbQb', 'WXJfRneRkWoWEb4vHN', 'nmBjjGLQpQ', 'myNjXDPJ0s'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, v665J5NNjabfWwhwPp6.cs High entropy of concatenated method names: 'ToString', 'XWAlXwMrYG', 'jTYlrqhljG', 'wTVlBbIV75', 'x0rlZAuktm', 'skWld6Bnei', 'UkVlFIKdkL', 'sPflqjqo31', 'BBknmk8ApeuCE73tXjN', 'M0VEtA8nZPTChFjRxBO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CX3iJ4B259LhE6n5YZ.cs High entropy of concatenated method names: 'tvyXBYGpP8', 'gWBXZ3CUsX', 'hLpXdMQLgv', 'Is4XFUFeHs', 'HHWXqKUsZd', 'S4pX1cWpyF', 'prmXT0rHoK', 'hjGX2yUBhh', 'JbDXVZmfgm', 'obpXP0ChjW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, NP4J8S8hP8gr8Qji8u.cs High entropy of concatenated method names: 'hZiDgeCHsX', 'DFjDSYPckD', 'BTnDxHobBk', 'haVDQqX7uI', 'QHIDpiu4en', 'egDDfYQMBC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, ByvjEchBSQcyD9Vy3C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Gl2vKdo5R9', 'FIFv8lcAXO', 'DxtvzKsQsy', 'jJNXcbF2Rs', 'uRDXjD7EE7', 'RWfXv3tmk1', 'zkPXXUb9mB', 'ukP3BB4M0QQHdO9uZxw'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, i0aMmgNuZExrOY05mT6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWslpFU3hs', 'DfnlJRGkRa', 'Lcklue5d8o', 'cjVlbcyZka', 'UaGlW9XlcY', 'yUkltOomeR', 'k5el3ISGuE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, b1ylFLKTXKNi2gtlJZ.cs High entropy of concatenated method names: 'M9wTZ3mjFH', 'G37TFRk3Ew', 'xV5T1mkme2', 'lbc18KuF7i', 'WNa1zdimet', 'jhDTcTr4lZ', 'LINTjxt5qg', 'djFTv32CZk', 'mJsTX1UX2C', 'CkKTrbbKe6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, cA9TsJkCtNpsbMUBWc.cs High entropy of concatenated method names: 'gDeFMxHDg7', 'tZNFGFYYuG', 'pQfFNQLOOP', 'dpmF7M5Io2', 'zTSFRtAR1E', 'pARFs8gcCZ', 'fOKFUahZfY', 'lphFDGNDv8', 'GnYF9MBVK2', 'uPnFlKeLrm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, CVeAIRqKVAUjENZeFc.cs High entropy of concatenated method names: 'YJRdpxy1NO', 'USrdJsEI7v', 'tCVdu794ZX', 'dnHdbPcqSV', 'CmvdWgnUIR', 'W5SdtbkBVk', 'IRYd3nb0I8', 'zHUdoo2DEd', 'yqgdKc1kvM', 'mcWd8VrqyV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, Jo4VD4njEJmiQrM7K2.cs High entropy of concatenated method names: 'qRvkmtogWGstKeCOtcF', 'qVZlTAoLLquOPKwisnu', 'U8h1D25St5', 'i7m19Kryb4', 'Rn11lLF1in', 'c8s0pAoD4UJMfqDuFId', 'Elhuv2oxYbLd2IMTHeR'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, mj9pkKDWJbxAigqQ8p.cs High entropy of concatenated method names: 'qrEDZY2yGp', 'ziaDdVdsK0', 'aReDFfdEqL', 'A7uDqG3cMG', 'Q4dD1SGVPj', 'WfQDTLrjvq', 'cLbD2RiHX1', 'qu3DV2UtU9', 'YZ4DPobOqM', 'woQD4R8BD3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, RZUQGYQDOgsRHRAqv4.cs High entropy of concatenated method names: 'u0vUoIiad5', 'JrbU8sfZEj', 've0Dc5jGF6', 'PwxDjOKoAO', 'Nv4UHwrak6', 'aVFUk1voNA', 'KcTUL7Y7VZ', 'j7TUpBD9T8', 'iyPUJwKohc', 'VfTUuB6RW5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, Gi4mvvUS94GkjKbif0.cs High entropy of concatenated method names: 'jLFANL9Bcu', 'b0eA7lDbfw', 'SilAgddMd5', 'I2HASp1hBL', 'uBAAQexT4I', 'NBlAfKaRUx', 'BrLAC4xqLg', 'dQyAEgVnmD', 'TkOAhKv7IA', 'UHEAHLKm0D'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, wRS7JdEQI6RiJa9NhS.cs High entropy of concatenated method names: 'qGsqacsCfa', 'AonqycRv3C', 'tVXFxbJhgY', 'lAxFQtROi7', 'tbEFfCUhV9', 'M7rFY0hTdP', 'omUFCwpve7', 'DwvFE4vfDq', 'oHMFmPIHgL', 'N9DFhPow6L'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, tt6vKJoVZYcrI4oodB.cs High entropy of concatenated method names: 'fnW9jDgwWr', 'Rol9XXhdMy', 'gxD9rxRkin', 'iZq9Zu9I6u', 'Rtj9dCSlyu', 'wqs9q8KF0i', 'Xw491VDD5J', 'sbxD3JhUA6', 'LwSDoRe3b7', 'CBuDKoHiNJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, SlJvIeZNIyCwQr5pjh.cs High entropy of concatenated method names: 'OCxnxMceH', 'tCeMKGdXv', 'r6JGxNOn2', 'dvyyPW5nS', 'VrE7kfmqc', 'rT1wFSFpg', 'ldoOGCJpscCShvlEiB', 'q2Y7oZ6yyIVnHsEqIV', 'a3dDvv0XA', 'HV7lKJ14W'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, cAadsMdP0P3JYQkDOD.cs High entropy of concatenated method names: 'xgM1BHOu5j', 'zQP1dvZiNj', 'DwS1qRunYR', 'dj11TYf3Jn', 'ReN12uAVD5', 'pfBqWa94ga', 'b48qt3xVMX', 'KZ9q3Iu0SC', 'sCWqoZrA7H', 'cgaqK6rSPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, TQtneES6krZtUT94TX.cs High entropy of concatenated method names: 'ToString', 'VRosH0FTyp', 'rg1sSZxsr4', 'fEjsxUR4mW', 'wpxsQL631s', 'ALtsfMBk8M', 'MyxsYvEObE', 'QQjsCnSfnh', 'Q7isE48Hn4', 'Af9smVBvFS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, s6ncy1Lw04bCpVC7if.cs High entropy of concatenated method names: 'Dispose', 'oNSjKA5elf', 'XlovS6YUkF', 'itW55sLOdM', 'h4Lj8cBljy', 'DuGjz5GgxS', 'ProcessDialogKey', 'kWovcuBdgh', 'rr5vjisbjM', 'iUfvvKAGYK'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, oaa30fNJAoUh5TUfeuk.cs High entropy of concatenated method names: 'Pf996KyViH', 'yfd9ikf16g', 'DhX9nWTCM5', 'YJ79M5Emnb', 'Tmm9anHg0w', 'yUT9GRO5aQ', 'W8j9y5GXK2', 'SxX9N8jNAQ', 'Re397XTGyK', 'KJE9wvEL2t'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, NXXgJGNZk0xKRQAS8QG.cs High entropy of concatenated method names: 'Sofl6qPXE1', 'TgpliIg4B1', 'TBKlnJU3AU', 'eRbItx8zgOZywHM7d3r', 'bNWcyMMbpQGVakAUR7y', 'S4ijp9M4EsdKDAKQDiN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, Fvn8m7tuOPdvJ4jDnZ.cs High entropy of concatenated method names: 'wEHT6iyD3M', 'pViTiPZRa5', 'CuwTn6KKZt', 'wRxTMmyUxk', 'bHaTannbOK', 'HU3TGnWPLV', 'eucTyxqB8X', 'KcsTNBIkgP', 'En0T7yuVRN', 'qLqTwNTaIU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, yR88jQMAKhKEMBS7Qu.cs High entropy of concatenated method names: 'IHqRhH8bkF', 'oScRkjoqAO', 'WQNRpEeLxX', 'ltXRJMYboi', 'A8aRSWomNG', 'vJhRx61oo5', 'InIRQEV7JH', 'hxwRfTLoOh', 'o1kRYZT8kJ', 'ljHRCdKuv3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, oeey8gH5TTgCq9FdMc.cs High entropy of concatenated method names: 'C6HjTs83ZJ', 'U4Ej22xPyc', 'VinjPejMWV', 'E8uj4Sb2b2', 'IigjRX8Py7', 'ckRjs4pxBQ', 'PEJqXgPviLpQLeEbQb', 'WXJfRneRkWoWEb4vHN', 'nmBjjGLQpQ', 'myNjXDPJ0s'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, v665J5NNjabfWwhwPp6.cs High entropy of concatenated method names: 'ToString', 'XWAlXwMrYG', 'jTYlrqhljG', 'wTVlBbIV75', 'x0rlZAuktm', 'skWld6Bnei', 'UkVlFIKdkL', 'sPflqjqo31', 'BBknmk8ApeuCE73tXjN', 'M0VEtA8nZPTChFjRxBO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CX3iJ4B259LhE6n5YZ.cs High entropy of concatenated method names: 'tvyXBYGpP8', 'gWBXZ3CUsX', 'hLpXdMQLgv', 'Is4XFUFeHs', 'HHWXqKUsZd', 'S4pX1cWpyF', 'prmXT0rHoK', 'hjGX2yUBhh', 'JbDXVZmfgm', 'obpXP0ChjW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, NP4J8S8hP8gr8Qji8u.cs High entropy of concatenated method names: 'hZiDgeCHsX', 'DFjDSYPckD', 'BTnDxHobBk', 'haVDQqX7uI', 'QHIDpiu4en', 'egDDfYQMBC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, ByvjEchBSQcyD9Vy3C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Gl2vKdo5R9', 'FIFv8lcAXO', 'DxtvzKsQsy', 'jJNXcbF2Rs', 'uRDXjD7EE7', 'RWfXv3tmk1', 'zkPXXUb9mB', 'ukP3BB4M0QQHdO9uZxw'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, i0aMmgNuZExrOY05mT6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWslpFU3hs', 'DfnlJRGkRa', 'Lcklue5d8o', 'cjVlbcyZka', 'UaGlW9XlcY', 'yUkltOomeR', 'k5el3ISGuE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, b1ylFLKTXKNi2gtlJZ.cs High entropy of concatenated method names: 'M9wTZ3mjFH', 'G37TFRk3Ew', 'xV5T1mkme2', 'lbc18KuF7i', 'WNa1zdimet', 'jhDTcTr4lZ', 'LINTjxt5qg', 'djFTv32CZk', 'mJsTX1UX2C', 'CkKTrbbKe6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, cA9TsJkCtNpsbMUBWc.cs High entropy of concatenated method names: 'gDeFMxHDg7', 'tZNFGFYYuG', 'pQfFNQLOOP', 'dpmF7M5Io2', 'zTSFRtAR1E', 'pARFs8gcCZ', 'fOKFUahZfY', 'lphFDGNDv8', 'GnYF9MBVK2', 'uPnFlKeLrm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, CVeAIRqKVAUjENZeFc.cs High entropy of concatenated method names: 'YJRdpxy1NO', 'USrdJsEI7v', 'tCVdu794ZX', 'dnHdbPcqSV', 'CmvdWgnUIR', 'W5SdtbkBVk', 'IRYd3nb0I8', 'zHUdoo2DEd', 'yqgdKc1kvM', 'mcWd8VrqyV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, Jo4VD4njEJmiQrM7K2.cs High entropy of concatenated method names: 'qRvkmtogWGstKeCOtcF', 'qVZlTAoLLquOPKwisnu', 'U8h1D25St5', 'i7m19Kryb4', 'Rn11lLF1in', 'c8s0pAoD4UJMfqDuFId', 'Elhuv2oxYbLd2IMTHeR'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, mj9pkKDWJbxAigqQ8p.cs High entropy of concatenated method names: 'qrEDZY2yGp', 'ziaDdVdsK0', 'aReDFfdEqL', 'A7uDqG3cMG', 'Q4dD1SGVPj', 'WfQDTLrjvq', 'cLbD2RiHX1', 'qu3DV2UtU9', 'YZ4DPobOqM', 'woQD4R8BD3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, RZUQGYQDOgsRHRAqv4.cs High entropy of concatenated method names: 'u0vUoIiad5', 'JrbU8sfZEj', 've0Dc5jGF6', 'PwxDjOKoAO', 'Nv4UHwrak6', 'aVFUk1voNA', 'KcTUL7Y7VZ', 'j7TUpBD9T8', 'iyPUJwKohc', 'VfTUuB6RW5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.6eb0000.4.raw.unpack, Gi4mvvUS94GkjKbif0.cs High entropy of concatenated method names: 'jLFANL9Bcu', 'b0eA7lDbfw', 'SilAgddMd5', 'I2HASp1hBL', 'uBAAQexT4I', 'NBlAfKaRUx', 'BrLAC4xqLg', 'dQyAEgVnmD', 'TkOAhKv7IA', 'UHEAHLKm0D'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, wRS7JdEQI6RiJa9NhS.cs High entropy of concatenated method names: 'qGsqacsCfa', 'AonqycRv3C', 'tVXFxbJhgY', 'lAxFQtROi7', 'tbEFfCUhV9', 'M7rFY0hTdP', 'omUFCwpve7', 'DwvFE4vfDq', 'oHMFmPIHgL', 'N9DFhPow6L'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, tt6vKJoVZYcrI4oodB.cs High entropy of concatenated method names: 'fnW9jDgwWr', 'Rol9XXhdMy', 'gxD9rxRkin', 'iZq9Zu9I6u', 'Rtj9dCSlyu', 'wqs9q8KF0i', 'Xw491VDD5J', 'sbxD3JhUA6', 'LwSDoRe3b7', 'CBuDKoHiNJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, SlJvIeZNIyCwQr5pjh.cs High entropy of concatenated method names: 'OCxnxMceH', 'tCeMKGdXv', 'r6JGxNOn2', 'dvyyPW5nS', 'VrE7kfmqc', 'rT1wFSFpg', 'ldoOGCJpscCShvlEiB', 'q2Y7oZ6yyIVnHsEqIV', 'a3dDvv0XA', 'HV7lKJ14W'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, cAadsMdP0P3JYQkDOD.cs High entropy of concatenated method names: 'xgM1BHOu5j', 'zQP1dvZiNj', 'DwS1qRunYR', 'dj11TYf3Jn', 'ReN12uAVD5', 'pfBqWa94ga', 'b48qt3xVMX', 'KZ9q3Iu0SC', 'sCWqoZrA7H', 'cgaqK6rSPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, TQtneES6krZtUT94TX.cs High entropy of concatenated method names: 'ToString', 'VRosH0FTyp', 'rg1sSZxsr4', 'fEjsxUR4mW', 'wpxsQL631s', 'ALtsfMBk8M', 'MyxsYvEObE', 'QQjsCnSfnh', 'Q7isE48Hn4', 'Af9smVBvFS'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, s6ncy1Lw04bCpVC7if.cs High entropy of concatenated method names: 'Dispose', 'oNSjKA5elf', 'XlovS6YUkF', 'itW55sLOdM', 'h4Lj8cBljy', 'DuGjz5GgxS', 'ProcessDialogKey', 'kWovcuBdgh', 'rr5vjisbjM', 'iUfvvKAGYK'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, oaa30fNJAoUh5TUfeuk.cs High entropy of concatenated method names: 'Pf996KyViH', 'yfd9ikf16g', 'DhX9nWTCM5', 'YJ79M5Emnb', 'Tmm9anHg0w', 'yUT9GRO5aQ', 'W8j9y5GXK2', 'SxX9N8jNAQ', 'Re397XTGyK', 'KJE9wvEL2t'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, NXXgJGNZk0xKRQAS8QG.cs High entropy of concatenated method names: 'Sofl6qPXE1', 'TgpliIg4B1', 'TBKlnJU3AU', 'eRbItx8zgOZywHM7d3r', 'bNWcyMMbpQGVakAUR7y', 'S4ijp9M4EsdKDAKQDiN'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, Fvn8m7tuOPdvJ4jDnZ.cs High entropy of concatenated method names: 'wEHT6iyD3M', 'pViTiPZRa5', 'CuwTn6KKZt', 'wRxTMmyUxk', 'bHaTannbOK', 'HU3TGnWPLV', 'eucTyxqB8X', 'KcsTNBIkgP', 'En0T7yuVRN', 'qLqTwNTaIU'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, yR88jQMAKhKEMBS7Qu.cs High entropy of concatenated method names: 'IHqRhH8bkF', 'oScRkjoqAO', 'WQNRpEeLxX', 'ltXRJMYboi', 'A8aRSWomNG', 'vJhRx61oo5', 'InIRQEV7JH', 'hxwRfTLoOh', 'o1kRYZT8kJ', 'ljHRCdKuv3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, oeey8gH5TTgCq9FdMc.cs High entropy of concatenated method names: 'C6HjTs83ZJ', 'U4Ej22xPyc', 'VinjPejMWV', 'E8uj4Sb2b2', 'IigjRX8Py7', 'ckRjs4pxBQ', 'PEJqXgPviLpQLeEbQb', 'WXJfRneRkWoWEb4vHN', 'nmBjjGLQpQ', 'myNjXDPJ0s'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, v665J5NNjabfWwhwPp6.cs High entropy of concatenated method names: 'ToString', 'XWAlXwMrYG', 'jTYlrqhljG', 'wTVlBbIV75', 'x0rlZAuktm', 'skWld6Bnei', 'UkVlFIKdkL', 'sPflqjqo31', 'BBknmk8ApeuCE73tXjN', 'M0VEtA8nZPTChFjRxBO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CX3iJ4B259LhE6n5YZ.cs High entropy of concatenated method names: 'tvyXBYGpP8', 'gWBXZ3CUsX', 'hLpXdMQLgv', 'Is4XFUFeHs', 'HHWXqKUsZd', 'S4pX1cWpyF', 'prmXT0rHoK', 'hjGX2yUBhh', 'JbDXVZmfgm', 'obpXP0ChjW'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, NP4J8S8hP8gr8Qji8u.cs High entropy of concatenated method names: 'hZiDgeCHsX', 'DFjDSYPckD', 'BTnDxHobBk', 'haVDQqX7uI', 'QHIDpiu4en', 'egDDfYQMBC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, ByvjEchBSQcyD9Vy3C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Gl2vKdo5R9', 'FIFv8lcAXO', 'DxtvzKsQsy', 'jJNXcbF2Rs', 'uRDXjD7EE7', 'RWfXv3tmk1', 'zkPXXUb9mB', 'ukP3BB4M0QQHdO9uZxw'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, i0aMmgNuZExrOY05mT6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWslpFU3hs', 'DfnlJRGkRa', 'Lcklue5d8o', 'cjVlbcyZka', 'UaGlW9XlcY', 'yUkltOomeR', 'k5el3ISGuE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, b1ylFLKTXKNi2gtlJZ.cs High entropy of concatenated method names: 'M9wTZ3mjFH', 'G37TFRk3Ew', 'xV5T1mkme2', 'lbc18KuF7i', 'WNa1zdimet', 'jhDTcTr4lZ', 'LINTjxt5qg', 'djFTv32CZk', 'mJsTX1UX2C', 'CkKTrbbKe6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, cA9TsJkCtNpsbMUBWc.cs High entropy of concatenated method names: 'gDeFMxHDg7', 'tZNFGFYYuG', 'pQfFNQLOOP', 'dpmF7M5Io2', 'zTSFRtAR1E', 'pARFs8gcCZ', 'fOKFUahZfY', 'lphFDGNDv8', 'GnYF9MBVK2', 'uPnFlKeLrm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, CVeAIRqKVAUjENZeFc.cs High entropy of concatenated method names: 'YJRdpxy1NO', 'USrdJsEI7v', 'tCVdu794ZX', 'dnHdbPcqSV', 'CmvdWgnUIR', 'W5SdtbkBVk', 'IRYd3nb0I8', 'zHUdoo2DEd', 'yqgdKc1kvM', 'mcWd8VrqyV'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, Jo4VD4njEJmiQrM7K2.cs High entropy of concatenated method names: 'qRvkmtogWGstKeCOtcF', 'qVZlTAoLLquOPKwisnu', 'U8h1D25St5', 'i7m19Kryb4', 'Rn11lLF1in', 'c8s0pAoD4UJMfqDuFId', 'Elhuv2oxYbLd2IMTHeR'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, mj9pkKDWJbxAigqQ8p.cs High entropy of concatenated method names: 'qrEDZY2yGp', 'ziaDdVdsK0', 'aReDFfdEqL', 'A7uDqG3cMG', 'Q4dD1SGVPj', 'WfQDTLrjvq', 'cLbD2RiHX1', 'qu3DV2UtU9', 'YZ4DPobOqM', 'woQD4R8BD3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, RZUQGYQDOgsRHRAqv4.cs High entropy of concatenated method names: 'u0vUoIiad5', 'JrbU8sfZEj', 've0Dc5jGF6', 'PwxDjOKoAO', 'Nv4UHwrak6', 'aVFUk1voNA', 'KcTUL7Y7VZ', 'j7TUpBD9T8', 'iyPUJwKohc', 'VfTUuB6RW5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, Gi4mvvUS94GkjKbif0.cs High entropy of concatenated method names: 'jLFANL9Bcu', 'b0eA7lDbfw', 'SilAgddMd5', 'I2HASp1hBL', 'uBAAQexT4I', 'NBlAfKaRUx', 'BrLAC4xqLg', 'dQyAEgVnmD', 'TkOAhKv7IA', 'UHEAHLKm0D'
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe File created: C:\Users\user\AppData\Roaming\rRQnnfB.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe, 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rRQnnfB.exe, 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rRQnnfB.exe PID: 7220, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: 880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: 25A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: 45A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: 8850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: 9850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: 9A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: AA60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: B1F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: C1F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: D1F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: 2810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: 2A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: 2970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: 86E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: 6E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: 96E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: A6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: AF80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Memory allocated: BF80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5778 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1427 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6102 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1430 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe TID: 6948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4500 Thread sleep count: 5778 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4208 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4888 Thread sleep count: 1427 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe TID: 7368 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rRQnnfB.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpE51C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rRQnnfB" /XML "C:\Users\user\AppData\Local\Temp\tmpF613.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Queries volume information: C:\Users\user\AppData\Roaming\rRQnnfB.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rRQnnfB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe PID: 6896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rRQnnfB.exe PID: 7220, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4099368.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.4036748.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe.3fd3b28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.434f090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rRQnnfB.exe.4332420.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1872203758.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1920536185.00000000042C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543577 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 9 other signatures 2->54 7 SecuriteInfo.com.Win32.PWSX-gen.28365.916.exe 7 2->7         started        11 rRQnnfB.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\Roaming\rRQnnfB.exe, PE32 7->40 dropped 42 C:\Users\user\...\rRQnnfB.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpE51C.tmp, XML 7->44 dropped 46 SecuriteInfo.com.W...n.28365.916.exe.log, ASCII 7->46 dropped 56 Contains functionality to hide user accounts 7->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        26 5 other processes 7->26 62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 20 schtasks.exe 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        28 3 other processes 11->28 signatures5 process6 signatures7 66 Loading BitLocker PowerShell Module 13->66 30 WmiPrvSE.exe 13->30         started        32 conhost.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        process8
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
wznne1.duckdns.org true
    		unknown