Windows Analysis Report
SecuriteInfo.com.PWSX-gen.32561.14552.exe

Overview

General Information

Sample name: SecuriteInfo.com.PWSX-gen.32561.14552.exe
Analysis ID: 1427764
MD5: 8ae8e59f0df6887a86d8ac303d004095
SHA1: 9cd99884369adfd6bb5d9f3426c91b25f4979281
SHA256: 30e181e98cb75e4324746fd2d27fcc9987a51dfd0182b45eab54781df26c1d33
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Avira: detection malicious, Label: HEUR/AGEN.1308640
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Avira: detection malicious, Label: HEUR/AGEN.1308640
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Virustotal: Detection: 38% Perma Link
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Virustotal: Detection: 38% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Virustotal: Detection: 38% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 4x nop then jmp 074E5CD1h 0_2_074E5738
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 4x nop then jmp 024850F9h 8_2_02484B60
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 4x nop then jmp 0D334FC9h 12_2_0D334A30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 4x nop then jmp 076A4FC9h 19_2_076A4A30

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49740 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49743 -> 50.87.253.239:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 50.87.253.239 50.87.253.239
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.clslk.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.clslk.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 00000008.00000002.1937145335.0000000002729000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.2051696888.0000000003448000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.2134532225.00000000033B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr String found in binary or memory: http://weather.yahooapis.com/forecastrss?w=4118
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr String found in binary or memory: http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr String found in binary or memory: http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897743761.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897775664.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, tiucdfZoOi.exe.0.dr, boqXv.exe.6.dr String found in binary or memory: http://xml.weather.yahoo.com/ns/rss/1.0
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, tiucdfZoOi.exe, 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, boqXv.exe, 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, umlRMRbjNqD.cs .Net Code: fKv0R

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.29f397c.0.raw.unpack, LoginForm.cs Large array initialization: : array initializer size 33603
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.52a0000.4.raw.unpack, LoginForm.cs Large array initialization: : array initializer size 33603
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07261190 0_2_07261190
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_072602E0 0_2_072602E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07262030 0_2_07262030
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07263258 0_2_07263258
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_072634A0 0_2_072634A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07262EE8 0_2_07262EE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_00FFDDCC 0_2_00FFDDCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_074E7410 0_2_074E7410
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_074E1308 0_2_074E1308
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_074E12F8 0_2_074E12F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_050AD658 6_2_050AD658
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_050AA3D8 6_2_050AA3D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_050A3EB8 6_2_050A3EB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_050A4AD0 6_2_050A4AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_050A4200 6_2_050A4200
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_0625B5A0 6_2_0625B5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_06259F7C 6_2_06259F7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_06260E60 6_2_06260E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_06269F80 6_2_06269F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_06265B80 6_2_06265B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_06263398 6_2_06263398
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_062643F8 6_2_062643F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_0626902A 6_2_0626902A
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_0626C1A0 6_2_0626C1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_0626E190 6_2_0626E190
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_062654A0 6_2_062654A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 6_2_06263ADB 6_2_06263ADB
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_0095DDCC 8_2_0095DDCC
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_02481308 8_2_02481308
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_02486708 8_2_02486708
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_024877D0 8_2_024877D0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_04C9D9C8 8_2_04C9D9C8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_04C9FBD8 8_2_04C9FBD8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 8_2_04C9FBC8 8_2_04C9FBC8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_014CA3D0 11_2_014CA3D0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_014CD650 11_2_014CD650
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_014C9810 11_2_014C9810
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_014C4AD0 11_2_014C4AD0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_014C3EB8 11_2_014C3EB8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_014C4200 11_2_014C4200
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064DB5A0 11_2_064DB5A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064D9F7C 11_2_064D9F7C
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E0E60 11_2_064E0E60
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E9F80 11_2_064E9F80
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E43F8 11_2_064E43F8
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E5B80 11_2_064E5B80
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E9038 11_2_064E9038
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064EC1A0 11_2_064EC1A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064EE1A0 11_2_064EE1A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E54A0 11_2_064E54A0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E3AF0 11_2_064E3AF0
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064E3398 11_2_064E3398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0138DDCC 12_2_0138DDCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077502E0 12_2_077502E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077541E8 12_2_077541E8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07751190 12_2_07751190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07753ED0 12_2_07753ED0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775F568 12_2_0775F568
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07753491 12_2_07753491
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07758378 12_2_07758378
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07753258 12_2_07753258
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775324B 12_2_0775324B
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077502D3 12_2_077502D3
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07755150 12_2_07755150
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775F130 12_2_0775F130
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077541D8 12_2_077541D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07752030 12_2_07752030
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07752020 12_2_07752020
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077510A0 12_2_077510A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07751E3B 12_2_07751E3B
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07752EE8 12_2_07752EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07752ED8 12_2_07752ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07753EC1 12_2_07753EC1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775ECF8 12_2_0775ECF8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775ECE3 12_2_0775ECE3
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775ECDB 12_2_0775ECDB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775F9A0 12_2_0775F9A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0775F990 12_2_0775F990
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077568B8 12_2_077568B8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077568AB 12_2_077568AB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0D336710 12_2_0D336710
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0D331308 12_2_0D331308
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E64200 16_2_04E64200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E63EB8 16_2_04E63EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E69F68 16_2_04E69F68
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E64AD0 16_2_04E64AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E6D4F0 16_2_04E6D4F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E6E46F 16_2_04E6E46F
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_04E69F61 16_2_04E69F61
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DEB400 16_2_05DEB400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DE9DCC 16_2_05DE9DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF9F80 16_2_05DF9F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF0E60 16_2_05DF0E60
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DFE1A0 16_2_05DFE1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF9038 16_2_05DF9038
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF43F8 16_2_05DF43F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF3398 16_2_05DF3398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF5B80 16_2_05DF5B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF54A0 16_2_05DF54A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DFC1A0 16_2_05DFC1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_05DF3AF0 16_2_05DF3AF0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_0166DDCC 19_2_0166DDCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_057AD9C8 19_2_057AD9C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_057AFBD8 19_2_057AFBD8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_057AFBC8 19_2_057AFBC8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCF568 19_2_05DCF568
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC3491 19_2_05DC3491
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC41D8 19_2_05DC41D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC41E8 19_2_05DC41E8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC1190 19_2_05DC1190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC5150 19_2_05DC5150
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCF130 19_2_05DCF130
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC10A0 19_2_05DC10A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC2030 19_2_05DC2030
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC2020 19_2_05DC2020
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC8378 19_2_05DC8378
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC02D2 19_2_05DC02D2
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC02E0 19_2_05DC02E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC3258 19_2_05DC3258
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC324A 19_2_05DC324A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCECDC 19_2_05DCECDC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCECF8 19_2_05DCECF8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC2ED8 19_2_05DC2ED8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC3ED0 19_2_05DC3ED0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC3EC1 19_2_05DC3EC1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC2EE8 19_2_05DC2EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC1E3A 19_2_05DC1E3A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCF990 19_2_05DCF990
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCF9A0 19_2_05DCF9A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC68B8 19_2_05DC68B8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC68AA 19_2_05DC68AA
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_076A6710 19_2_076A6710
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_076A1308 19_2_076A1308
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 22_2_01A04200 22_2_01A04200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 22_2_01A04AD0 22_2_01A04AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 22_2_01A09EA8 22_2_01A09EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 22_2_01A03EB8 22_2_01A03EB8
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1890929928.000000000093E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1897433222.00000000052A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1900625854.000000000A070000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.00000000029A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893332055.0000000002C58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000000.1836436871.00000000004EA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameGVTR.exe0 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.000000000437E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3098208191.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Binary or memory string: OriginalFilenameGVTR.exe0 vs SecuriteInfo.com.PWSX-gen.32561.14552.exe
Uses 32bit PE files
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tiucdfZoOi.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, v9Lsz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, VFo.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, 5FJ0H20tobu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, NtdoTGO.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, XBsYgp.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, AwxUa2Na.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, 19C9FfZ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, 19C9FfZ.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, soCD8XkwU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, soCD8XkwU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, UBZDfSvn1N5VCoRKKR.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, UBZDfSvn1N5VCoRKKR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, UBZDfSvn1N5VCoRKKR.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, UBZDfSvn1N5VCoRKKR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, UBZDfSvn1N5VCoRKKR.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, UBZDfSvn1N5VCoRKKR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@28/16@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Mutant created: \Sessions\1\BaseNamedObjects\hBlThTfTaEtA
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File created: C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp Jump to behavior
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe ReversingLabs: Detection: 26%
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe C:\Users\user\AppData\Roaming\tiucdfZoOi.exe
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.29f397c.0.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs .Net Code: QV6iCsNyFN System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.52a0000.4.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs .Net Code: QV6iCsNyFN System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs .Net Code: QV6iCsNyFN System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07253757 push 3861A8E5h; iretd 0_2_0725375C
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_072515BA push ds; retf 0_2_072515BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07254DE9 pushfd ; ret 0_2_07254DEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_07252AF7 pushad ; retf 0_2_07252B05
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Code function: 0_2_074E8865 push FFFFFF8Bh; iretd 0_2_074E8867
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Code function: 11_2_064DFD30 push es; ret 11_2_064DFD40
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07750BE7 pushad ; retf 12_2_07750BE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_07750BDD pushad ; retf 12_2_07750BDE
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_0D337B65 push FFFFFF8Bh; iretd 12_2_0D337B67
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC0BDD pushad ; retf 19_2_05DC0BDE
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DC0BE7 pushad ; retf 19_2_05DC0BE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_05DCEAA7 push ss; iretd 19_2_05DCEAA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_076A7B65 push FFFFFF8Bh; iretd 19_2_076A7B67
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 19_2_076A502B push 00000007h; iretd 19_2_076A5034
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe Static PE information: section name: .text entropy: 7.94386929990432
Source: tiucdfZoOi.exe.0.dr Static PE information: section name: .text entropy: 7.94386929990432
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, jWpHGA0DfRyfU60dN8.cs High entropy of concatenated method names: 'TQKExR61of', 'UiDEhsSH7N', 'dE0Efp2yDf', 'wqSEZtGgYF', 'IrYEQufbOE', 'nWbE2trLGT', 'DRhmoWYLOl5b3fSgjC', 'qcpadr9nGje6RTeBJW', 'oWVEEEAP11', 'clyEmn3oLm'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, KoVNS2QPr0D8xYKS6t.cs High entropy of concatenated method names: 'APN0MFD4Jo', 'w0i0oYUAl5', 'NL50l6Vdqb', 'eSB0TNtY24', 'uE70QyCxmt', 'Iim021tc0W', 'uvq0W4Nv7F', 'f410rtxWdO', 's5h0doIO0m', 'iyr0nPXyG7'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, OaibpBK1bvahCIVHhB.cs High entropy of concatenated method names: 'hKRKe2pYbc', 'bxfKBhByKQ', 'a01KFWnrTu', 'B9pKxNhKh6', 'bpAKh0DBXd', 'UQtFOs3M0n', 'ChPFq8XnWP', 'VHTFXQZvrA', 'wwXF7N1hEP', 'FK3Fj1mjnY'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, SfjqglIIaYp2yKY8rg.cs High entropy of concatenated method names: 'um2xLTZvZJ', 'V8SxaetNWR', 'x78xCDvf2a', 'qJkxM45IGA', 'FLNxJQo5Z7', 'ixrxoN6eO5', 'luGxvbxxsR', 'cMMxl6SjXN', 'TEYxTYxbsy', 'Kq1xtMVTGh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, vP7EpM1GqhThhI2umb.cs High entropy of concatenated method names: 'jAJrNZ3NqI', 'XGTrBrNXcs', 'vvir0eFfqj', 'GofrFK5Eaw', 'I69rK0vTN0', 'PW5rx6WoXQ', 'jD1rhtLgvp', 'v4prS9R4Md', 'KeArf6h9Fg', 'HBorZI56dE'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, X0nIyHPWpr2jFPUHUZ0.cs High entropy of concatenated method names: 'crVdL9Hi66', 'm4gdayKRUt', 'KDPdC0PiN6', 'aENdMZZnHL', 'dg3dJX4PDS', 'nsddoRuDba', 'onodvaLUtL', 'ULGdla9pRV', 'tCVdT0J4qL', 'J8cdt7ZVjH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, l3eqVArlDZPW5WaULi.cs High entropy of concatenated method names: 'svAglVqdoi', 'LB2gT3HGhC', 'mugg35R1CQ', 'gkag4o91ip', 'Dragb8FYCa', 'Jj0gAv6Z5k', 'z33gHEcPfy', 'mkrgIF5XeS', 'BRugwPbKRq', 'Nn6gUHk4va'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, Nl9pgWNbVilv1BBdx0.cs High entropy of concatenated method names: 'cO2FJVpT4N', 'bwQFvsUpcU', 'Jb20sBnFPf', 'GHV0bo5Kkl', 'WyK0Ah2MII', 'EFX0YtQmFc', 'OP20HKRjyc', 'njZ0I4xPyA', 'xJA0psSloF', 'Tdb0wkrKwH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, bfXI8LBDuwM5MDXjHi.cs High entropy of concatenated method names: 'VH9K8pXRx0', 'xLfK65KEX1', 'IwIKOHsTI3', 'ToString', 'XYVKqCmuyk', 'inpKXvMQBi', 'VcqeJtvmNKESuE3746V', 'rqiwHZvU0c39QLCECri', 'jg2HZwvKJNExp516xKk', 'HqwG7DveKgxDRVqW9FP'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, sl7bPKUPIshOXOM697.cs High entropy of concatenated method names: 'Dispose', 'HF3EjKo7wC', 'luGR4o6OFN', 'tuUGGeuyEq', 'oFVEcqoqsq', 'jNCEzQrX2s', 'ProcessDialogKey', 'hlrRDYcl1J', 'qLJREHkuU2', 'jMeRRgbHhJ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, pkU6ym2vK1iQp8Na4g.cs High entropy of concatenated method names: 'fOmmeZrPYu', 'QEZmNneaEp', 'kHKmBgyJfG', 'Kq9m0bNbUq', 'YdYmF8oYWp', 'yf9mKJtp73', 'KLAmxtOpUV', 'E0cmh6FywU', 'r26mS0RXSy', 'oUymfT8PJ8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, xcnE113lWKEtGGOGjl.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'prgRj842Jb', 'J6nRcHd7C6', 'SDtRzUkXdW', 'Bb5mDH22PD', 'iT2mEJAANN', 'opNmRs2V5M', 'K2Omm7yVOb', 's95ZcfciLCKKX2xUqOh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, Ir1kGbTicf0UUXiQMy.cs High entropy of concatenated method names: 'J2rW79ixaJ', 'F94Wc1DuNd', 'i9drD4KYWW', 'IqCrEaIABk', 'tuOWUvgdOk', 'qtTW5jFOBu', 'hADW9riuiG', 'MEPW1LqgZQ', 'r9QWkfowna', 'BeXW8JkdyZ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, DGFItyE8JVDxUwV3ep.cs High entropy of concatenated method names: 'BvWCS6uR5', 'jCWM0RBXC', 'oBFoJU41j', 'ndAvKKt97', 'SZATpCqoH', 'DsetsVWln', 'qEqcKvp75lTGYTtKiV', 'PB4R4MgRbxbJbWLtc6', 'PwQrKgrfK', 'fx1nQGiD1'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, iIjX2YPPkaL15b1JJTX.cs High entropy of concatenated method names: 'ToString', 'PQOnmiOryd', 'qJ1nifmsCO', 'v3lneeipGA', 'JOhnNqHMdV', 'wVdnB3IVaB', 'rBWn0pO63u', 'Q3PnFwxAGs', 'QKcgjWiysxsANj55xrB', 'MZKU6IipCsJbuf8I6YW'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, uonbnmLG0MiFhH5EdT.cs High entropy of concatenated method names: 'ijudEYmRdg', 'ns9dmAyOn3', 'L0Gdiyh8T7', 'rOodNwDI8V', 'rhtdBYAvMN', 'rpedFVKfBH', 'u8wdKMcq9o', 'g6jrXsw9WC', 'k3Pr7GdSIN', 'kqIrjCFbaK'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, XuqtffC1mjMy4V4QNS.cs High entropy of concatenated method names: 'G1SWf8KLlr', 'nLrWZml4Iw', 'ToString', 'wKiWNyO6UK', 'U6GWB5LQFU', 'Og0W0FIgbi', 'QYyWFr3ukK', 'HJVWKpjj9H', 'fdbWxElkl9', 'pobWhruA64'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, ym5hm3Pbv9EBhKIXh85.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pobn1bsLNG', 'SKonkEu9Dl', 'OOIn8VKfcW', 'eDLn6dMKCv', 'De9nOK0rJy', 'gy3nqiHe3A', 'njVnX5OULX'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, OpHZEfAsiWMwvLMccU.cs High entropy of concatenated method names: 'ToString', 'By82UingMr', 'sTa24pxnws', 'K692s8VmXn', 'Uah2bwsDnL', 'Bsy2AIjN22', 'BvZ2YBXPnO', 'XNx2HZEr5F', 'baP2IZuLwE', 'U2K2peKvMT'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, UBZDfSvn1N5VCoRKKR.cs High entropy of concatenated method names: 'wo8B199eAO', 'DmMBkwggyg', 'iwtB8Txkyb', 'CTiB6iXjxP', 'FsaBO14qLV', 'tyABqML2xB', 'HyHBXBTIqU', 'dx4B7fMkC2', 'uOVBjIXp1O', 'MpTBcWHlt8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4586300.1.raw.unpack, JQ6Bl2FiGQCC0cdEjA.cs High entropy of concatenated method names: 'OTNr3SsWpu', 'riBr4NEB27', 'Rpjrs1xTsr', 'YiyrbpTiit', 'YG3r1J1b7V', 'XX8rAhGUsx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, jWpHGA0DfRyfU60dN8.cs High entropy of concatenated method names: 'TQKExR61of', 'UiDEhsSH7N', 'dE0Efp2yDf', 'wqSEZtGgYF', 'IrYEQufbOE', 'nWbE2trLGT', 'DRhmoWYLOl5b3fSgjC', 'qcpadr9nGje6RTeBJW', 'oWVEEEAP11', 'clyEmn3oLm'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, KoVNS2QPr0D8xYKS6t.cs High entropy of concatenated method names: 'APN0MFD4Jo', 'w0i0oYUAl5', 'NL50l6Vdqb', 'eSB0TNtY24', 'uE70QyCxmt', 'Iim021tc0W', 'uvq0W4Nv7F', 'f410rtxWdO', 's5h0doIO0m', 'iyr0nPXyG7'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, OaibpBK1bvahCIVHhB.cs High entropy of concatenated method names: 'hKRKe2pYbc', 'bxfKBhByKQ', 'a01KFWnrTu', 'B9pKxNhKh6', 'bpAKh0DBXd', 'UQtFOs3M0n', 'ChPFq8XnWP', 'VHTFXQZvrA', 'wwXF7N1hEP', 'FK3Fj1mjnY'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, SfjqglIIaYp2yKY8rg.cs High entropy of concatenated method names: 'um2xLTZvZJ', 'V8SxaetNWR', 'x78xCDvf2a', 'qJkxM45IGA', 'FLNxJQo5Z7', 'ixrxoN6eO5', 'luGxvbxxsR', 'cMMxl6SjXN', 'TEYxTYxbsy', 'Kq1xtMVTGh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, vP7EpM1GqhThhI2umb.cs High entropy of concatenated method names: 'jAJrNZ3NqI', 'XGTrBrNXcs', 'vvir0eFfqj', 'GofrFK5Eaw', 'I69rK0vTN0', 'PW5rx6WoXQ', 'jD1rhtLgvp', 'v4prS9R4Md', 'KeArf6h9Fg', 'HBorZI56dE'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, X0nIyHPWpr2jFPUHUZ0.cs High entropy of concatenated method names: 'crVdL9Hi66', 'm4gdayKRUt', 'KDPdC0PiN6', 'aENdMZZnHL', 'dg3dJX4PDS', 'nsddoRuDba', 'onodvaLUtL', 'ULGdla9pRV', 'tCVdT0J4qL', 'J8cdt7ZVjH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, l3eqVArlDZPW5WaULi.cs High entropy of concatenated method names: 'svAglVqdoi', 'LB2gT3HGhC', 'mugg35R1CQ', 'gkag4o91ip', 'Dragb8FYCa', 'Jj0gAv6Z5k', 'z33gHEcPfy', 'mkrgIF5XeS', 'BRugwPbKRq', 'Nn6gUHk4va'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, Nl9pgWNbVilv1BBdx0.cs High entropy of concatenated method names: 'cO2FJVpT4N', 'bwQFvsUpcU', 'Jb20sBnFPf', 'GHV0bo5Kkl', 'WyK0Ah2MII', 'EFX0YtQmFc', 'OP20HKRjyc', 'njZ0I4xPyA', 'xJA0psSloF', 'Tdb0wkrKwH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, bfXI8LBDuwM5MDXjHi.cs High entropy of concatenated method names: 'VH9K8pXRx0', 'xLfK65KEX1', 'IwIKOHsTI3', 'ToString', 'XYVKqCmuyk', 'inpKXvMQBi', 'VcqeJtvmNKESuE3746V', 'rqiwHZvU0c39QLCECri', 'jg2HZwvKJNExp516xKk', 'HqwG7DveKgxDRVqW9FP'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, sl7bPKUPIshOXOM697.cs High entropy of concatenated method names: 'Dispose', 'HF3EjKo7wC', 'luGR4o6OFN', 'tuUGGeuyEq', 'oFVEcqoqsq', 'jNCEzQrX2s', 'ProcessDialogKey', 'hlrRDYcl1J', 'qLJREHkuU2', 'jMeRRgbHhJ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, pkU6ym2vK1iQp8Na4g.cs High entropy of concatenated method names: 'fOmmeZrPYu', 'QEZmNneaEp', 'kHKmBgyJfG', 'Kq9m0bNbUq', 'YdYmF8oYWp', 'yf9mKJtp73', 'KLAmxtOpUV', 'E0cmh6FywU', 'r26mS0RXSy', 'oUymfT8PJ8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, xcnE113lWKEtGGOGjl.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'prgRj842Jb', 'J6nRcHd7C6', 'SDtRzUkXdW', 'Bb5mDH22PD', 'iT2mEJAANN', 'opNmRs2V5M', 'K2Omm7yVOb', 's95ZcfciLCKKX2xUqOh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, Ir1kGbTicf0UUXiQMy.cs High entropy of concatenated method names: 'J2rW79ixaJ', 'F94Wc1DuNd', 'i9drD4KYWW', 'IqCrEaIABk', 'tuOWUvgdOk', 'qtTW5jFOBu', 'hADW9riuiG', 'MEPW1LqgZQ', 'r9QWkfowna', 'BeXW8JkdyZ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, DGFItyE8JVDxUwV3ep.cs High entropy of concatenated method names: 'BvWCS6uR5', 'jCWM0RBXC', 'oBFoJU41j', 'ndAvKKt97', 'SZATpCqoH', 'DsetsVWln', 'qEqcKvp75lTGYTtKiV', 'PB4R4MgRbxbJbWLtc6', 'PwQrKgrfK', 'fx1nQGiD1'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, iIjX2YPPkaL15b1JJTX.cs High entropy of concatenated method names: 'ToString', 'PQOnmiOryd', 'qJ1nifmsCO', 'v3lneeipGA', 'JOhnNqHMdV', 'wVdnB3IVaB', 'rBWn0pO63u', 'Q3PnFwxAGs', 'QKcgjWiysxsANj55xrB', 'MZKU6IipCsJbuf8I6YW'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, uonbnmLG0MiFhH5EdT.cs High entropy of concatenated method names: 'ijudEYmRdg', 'ns9dmAyOn3', 'L0Gdiyh8T7', 'rOodNwDI8V', 'rhtdBYAvMN', 'rpedFVKfBH', 'u8wdKMcq9o', 'g6jrXsw9WC', 'k3Pr7GdSIN', 'kqIrjCFbaK'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, XuqtffC1mjMy4V4QNS.cs High entropy of concatenated method names: 'G1SWf8KLlr', 'nLrWZml4Iw', 'ToString', 'wKiWNyO6UK', 'U6GWB5LQFU', 'Og0W0FIgbi', 'QYyWFr3ukK', 'HJVWKpjj9H', 'fdbWxElkl9', 'pobWhruA64'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, ym5hm3Pbv9EBhKIXh85.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pobn1bsLNG', 'SKonkEu9Dl', 'OOIn8VKfcW', 'eDLn6dMKCv', 'De9nOK0rJy', 'gy3nqiHe3A', 'njVnX5OULX'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, OpHZEfAsiWMwvLMccU.cs High entropy of concatenated method names: 'ToString', 'By82UingMr', 'sTa24pxnws', 'K692s8VmXn', 'Uah2bwsDnL', 'Bsy2AIjN22', 'BvZ2YBXPnO', 'XNx2HZEr5F', 'baP2IZuLwE', 'U2K2peKvMT'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, UBZDfSvn1N5VCoRKKR.cs High entropy of concatenated method names: 'wo8B199eAO', 'DmMBkwggyg', 'iwtB8Txkyb', 'CTiB6iXjxP', 'FsaBO14qLV', 'tyABqML2xB', 'HyHBXBTIqU', 'dx4B7fMkC2', 'uOVBjIXp1O', 'MpTBcWHlt8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.4602b20.3.raw.unpack, JQ6Bl2FiGQCC0cdEjA.cs High entropy of concatenated method names: 'OTNr3SsWpu', 'riBr4NEB27', 'Rpjrs1xTsr', 'YiyrbpTiit', 'YG3r1J1b7V', 'XX8rAhGUsx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, jWpHGA0DfRyfU60dN8.cs High entropy of concatenated method names: 'TQKExR61of', 'UiDEhsSH7N', 'dE0Efp2yDf', 'wqSEZtGgYF', 'IrYEQufbOE', 'nWbE2trLGT', 'DRhmoWYLOl5b3fSgjC', 'qcpadr9nGje6RTeBJW', 'oWVEEEAP11', 'clyEmn3oLm'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, KoVNS2QPr0D8xYKS6t.cs High entropy of concatenated method names: 'APN0MFD4Jo', 'w0i0oYUAl5', 'NL50l6Vdqb', 'eSB0TNtY24', 'uE70QyCxmt', 'Iim021tc0W', 'uvq0W4Nv7F', 'f410rtxWdO', 's5h0doIO0m', 'iyr0nPXyG7'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, OaibpBK1bvahCIVHhB.cs High entropy of concatenated method names: 'hKRKe2pYbc', 'bxfKBhByKQ', 'a01KFWnrTu', 'B9pKxNhKh6', 'bpAKh0DBXd', 'UQtFOs3M0n', 'ChPFq8XnWP', 'VHTFXQZvrA', 'wwXF7N1hEP', 'FK3Fj1mjnY'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, SfjqglIIaYp2yKY8rg.cs High entropy of concatenated method names: 'um2xLTZvZJ', 'V8SxaetNWR', 'x78xCDvf2a', 'qJkxM45IGA', 'FLNxJQo5Z7', 'ixrxoN6eO5', 'luGxvbxxsR', 'cMMxl6SjXN', 'TEYxTYxbsy', 'Kq1xtMVTGh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, vP7EpM1GqhThhI2umb.cs High entropy of concatenated method names: 'jAJrNZ3NqI', 'XGTrBrNXcs', 'vvir0eFfqj', 'GofrFK5Eaw', 'I69rK0vTN0', 'PW5rx6WoXQ', 'jD1rhtLgvp', 'v4prS9R4Md', 'KeArf6h9Fg', 'HBorZI56dE'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, X0nIyHPWpr2jFPUHUZ0.cs High entropy of concatenated method names: 'crVdL9Hi66', 'm4gdayKRUt', 'KDPdC0PiN6', 'aENdMZZnHL', 'dg3dJX4PDS', 'nsddoRuDba', 'onodvaLUtL', 'ULGdla9pRV', 'tCVdT0J4qL', 'J8cdt7ZVjH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, l3eqVArlDZPW5WaULi.cs High entropy of concatenated method names: 'svAglVqdoi', 'LB2gT3HGhC', 'mugg35R1CQ', 'gkag4o91ip', 'Dragb8FYCa', 'Jj0gAv6Z5k', 'z33gHEcPfy', 'mkrgIF5XeS', 'BRugwPbKRq', 'Nn6gUHk4va'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, Nl9pgWNbVilv1BBdx0.cs High entropy of concatenated method names: 'cO2FJVpT4N', 'bwQFvsUpcU', 'Jb20sBnFPf', 'GHV0bo5Kkl', 'WyK0Ah2MII', 'EFX0YtQmFc', 'OP20HKRjyc', 'njZ0I4xPyA', 'xJA0psSloF', 'Tdb0wkrKwH'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, bfXI8LBDuwM5MDXjHi.cs High entropy of concatenated method names: 'VH9K8pXRx0', 'xLfK65KEX1', 'IwIKOHsTI3', 'ToString', 'XYVKqCmuyk', 'inpKXvMQBi', 'VcqeJtvmNKESuE3746V', 'rqiwHZvU0c39QLCECri', 'jg2HZwvKJNExp516xKk', 'HqwG7DveKgxDRVqW9FP'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, sl7bPKUPIshOXOM697.cs High entropy of concatenated method names: 'Dispose', 'HF3EjKo7wC', 'luGR4o6OFN', 'tuUGGeuyEq', 'oFVEcqoqsq', 'jNCEzQrX2s', 'ProcessDialogKey', 'hlrRDYcl1J', 'qLJREHkuU2', 'jMeRRgbHhJ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, pkU6ym2vK1iQp8Na4g.cs High entropy of concatenated method names: 'fOmmeZrPYu', 'QEZmNneaEp', 'kHKmBgyJfG', 'Kq9m0bNbUq', 'YdYmF8oYWp', 'yf9mKJtp73', 'KLAmxtOpUV', 'E0cmh6FywU', 'r26mS0RXSy', 'oUymfT8PJ8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, xcnE113lWKEtGGOGjl.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'prgRj842Jb', 'J6nRcHd7C6', 'SDtRzUkXdW', 'Bb5mDH22PD', 'iT2mEJAANN', 'opNmRs2V5M', 'K2Omm7yVOb', 's95ZcfciLCKKX2xUqOh'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, Ir1kGbTicf0UUXiQMy.cs High entropy of concatenated method names: 'J2rW79ixaJ', 'F94Wc1DuNd', 'i9drD4KYWW', 'IqCrEaIABk', 'tuOWUvgdOk', 'qtTW5jFOBu', 'hADW9riuiG', 'MEPW1LqgZQ', 'r9QWkfowna', 'BeXW8JkdyZ'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, DGFItyE8JVDxUwV3ep.cs High entropy of concatenated method names: 'BvWCS6uR5', 'jCWM0RBXC', 'oBFoJU41j', 'ndAvKKt97', 'SZATpCqoH', 'DsetsVWln', 'qEqcKvp75lTGYTtKiV', 'PB4R4MgRbxbJbWLtc6', 'PwQrKgrfK', 'fx1nQGiD1'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, iIjX2YPPkaL15b1JJTX.cs High entropy of concatenated method names: 'ToString', 'PQOnmiOryd', 'qJ1nifmsCO', 'v3lneeipGA', 'JOhnNqHMdV', 'wVdnB3IVaB', 'rBWn0pO63u', 'Q3PnFwxAGs', 'QKcgjWiysxsANj55xrB', 'MZKU6IipCsJbuf8I6YW'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, uonbnmLG0MiFhH5EdT.cs High entropy of concatenated method names: 'ijudEYmRdg', 'ns9dmAyOn3', 'L0Gdiyh8T7', 'rOodNwDI8V', 'rhtdBYAvMN', 'rpedFVKfBH', 'u8wdKMcq9o', 'g6jrXsw9WC', 'k3Pr7GdSIN', 'kqIrjCFbaK'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, XuqtffC1mjMy4V4QNS.cs High entropy of concatenated method names: 'G1SWf8KLlr', 'nLrWZml4Iw', 'ToString', 'wKiWNyO6UK', 'U6GWB5LQFU', 'Og0W0FIgbi', 'QYyWFr3ukK', 'HJVWKpjj9H', 'fdbWxElkl9', 'pobWhruA64'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, ym5hm3Pbv9EBhKIXh85.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pobn1bsLNG', 'SKonkEu9Dl', 'OOIn8VKfcW', 'eDLn6dMKCv', 'De9nOK0rJy', 'gy3nqiHe3A', 'njVnX5OULX'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, OpHZEfAsiWMwvLMccU.cs High entropy of concatenated method names: 'ToString', 'By82UingMr', 'sTa24pxnws', 'K692s8VmXn', 'Uah2bwsDnL', 'Bsy2AIjN22', 'BvZ2YBXPnO', 'XNx2HZEr5F', 'baP2IZuLwE', 'U2K2peKvMT'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, UBZDfSvn1N5VCoRKKR.cs High entropy of concatenated method names: 'wo8B199eAO', 'DmMBkwggyg', 'iwtB8Txkyb', 'CTiB6iXjxP', 'FsaBO14qLV', 'tyABqML2xB', 'HyHBXBTIqU', 'dx4B7fMkC2', 'uOVBjIXp1O', 'MpTBcWHlt8'
Source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.a070000.7.raw.unpack, JQ6Bl2FiGQCC0cdEjA.cs High entropy of concatenated method names: 'OTNr3SsWpu', 'riBr4NEB27', 'Rpjrs1xTsr', 'YiyrbpTiit', 'YG3r1J1b7V', 'XX8rAhGUsx', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 29A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 7990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 8990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 8B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 9B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: A0F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: B0F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: C0F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 1240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 2C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: 2B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 2470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 7200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 8200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 83A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 93A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 9900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 7200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 14C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 2F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory allocated: 2CC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 1380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 1650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 7AB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 8AB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 8C50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 9C50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: A320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: B320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: C320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 2930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 29E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 2930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 1660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3100000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 5100000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 7D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 8D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 8EA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 9EA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: A3F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: B3F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: C3F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 16C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 33C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 53C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8120 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1531 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Window / User API: threadDelayed 1518 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Window / User API: threadDelayed 2063 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Window / User API: threadDelayed 521
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Window / User API: threadDelayed 2668
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 1076
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 2109
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 416
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 2370
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 6956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7300 Thread sleep count: 1518 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99873s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7300 Thread sleep count: 2063 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99764s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99655s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98997s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98666s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98325s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe TID: 7292 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7444 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7648 Thread sleep count: 521 > 30
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99873s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7648 Thread sleep count: 2668 > 30
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -98544s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe TID: 7640 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7708 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8060 Thread sleep count: 1076 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99871s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8060 Thread sleep count: 2109 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98670s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98545s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98418s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8052 Thread sleep time: -98312s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 6312 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7108 Thread sleep count: 416 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7108 Thread sleep count: 2370 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99516s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 4192 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99873 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99764 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99655 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99218 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98997 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98666 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98546 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98325 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99873
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 98544
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99871
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98670
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98545
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98418
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98312
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99516
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98719
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: boqXv.exe, 00000010.00000002.2113005667.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllatform Interface
Source: boqXv.exe.6.dr Binary or memory string: 5VMCi
Source: boqXv.exe, 0000000C.00000002.2059048401.000000000A220000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: boqXv.exe, 00000016.00000002.3100539202.00000000017B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: boqXv.exe, 0000000C.00000002.2059048401.000000000A220000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SAs
Source: SecuriteInfo.com.PWSX-gen.32561.14552.exe, 00000006.00000002.3098512051.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, tiucdfZoOi.exe, 0000000B.00000002.3153521405.00000000063A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Memory written: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe "C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp6B88.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Process created: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe "C:\Users\user\AppData\Roaming\tiucdfZoOi.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmp97D8.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiucdfZoOi" /XML "C:\Users\user\AppData\Local\Temp\tmpB88F.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3107557708.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7100, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PWSX-gen.32561.14552.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\tiucdfZoOi.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7100, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 12.2.boqXv.exe.4ecfb08.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41a6420.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4f0ab28.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41e1440.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e3f650.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e7a670.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e7a670.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41a6420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4f0ab28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.tiucdfZoOi.exe.41e1440.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PWSX-gen.32561.14552.exe.471a068.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.boqXv.exe.4e3f650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.boqXv.exe.4ecfb08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3107557708.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3107557708.000000000341A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1938641021.00000000041A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2110975637.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.0000000002A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2054981881.0000000004ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3107557708.0000000003412000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3107567072.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2116074967.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3103520162.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1893998929.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2144327885.0000000004E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 6884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PWSX-gen.32561.14552.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tiucdfZoOi.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7100, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427764 Sample: SecuriteInfo.com.PWSX-gen.3... Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 59 mail.clslk.com 2->59 63 Snort IDS alert for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 9 other signatures 2->69 8 SecuriteInfo.com.PWSX-gen.32561.14552.exe 7 2->8         started        12 tiucdfZoOi.exe 5 2->12         started        14 boqXv.exe 2->14         started        16 boqXv.exe 2->16         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\tiucdfZoOi.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp5AC0.tmp, XML 8->57 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 85 Adds a directory exclusion to Windows Defender 8->85 18 SecuriteInfo.com.PWSX-gen.32561.14552.exe 1 5 8->18         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        87 Antivirus detection for dropped file 12->87 89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 27 tiucdfZoOi.exe 12->27         started        29 schtasks.exe 1 12->29         started        93 Injects a PE file into a foreign processes 14->93 31 boqXv.exe 14->31         started        33 schtasks.exe 14->33         started        35 boqXv.exe 16->35         started        37 schtasks.exe 16->37         started        signatures6 process7 dnsIp8 61 mail.clslk.com 50.87.253.239, 49733, 49736, 49740 UNIFIEDLAYER-AS-1US United States 18->61 51 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 18->51 dropped 53 C:\Users\user\...\boqXv.exe:Zone.Identifier, ASCII 18->53 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->71 73 Tries to steal Mail credentials (via file / registry access) 18->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 77 Loading BitLocker PowerShell Module 23->77 39 WmiPrvSE.exe 23->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 29->45         started        47 conhost.exe 33->47         started        79 Tries to harvest and steal browser information (history, passwords, etc) 35->79 49 conhost.exe 37->49         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.253.239
 mail.clslk.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mail.clslk.com 50.87.253.239 true