Windows Analysis Report
SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Analysis ID: 1429251
MD5: 4e640bd1e98bec927682ac50f0d86e2a
SHA1: c1c4b8f8d3b8b692e76ed4f1df134b1c88694517
SHA256: 98a9021f55ec887a271dd6b5bef911bdbf09514530db7abdb887d5282aaf7631
Tags: exe
Infos:

Detection

PureLog Stealer, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\XClient.exe Avira: detection malicious, Label: HEUR/AGEN.1323752
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Avira: detection malicious, Label: HEUR/AGEN.1323752
Found malware configuration
Source: 0000000A.00000002.2466687008.0000000003155000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["91.92.248.52"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.3"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\XClient.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\XClient.exe Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Virustotal: Detection: 69% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe ReversingLabs: Detection: 55%
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Virustotal: Detection: 69% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\XClient.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: 91.92.248.52
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: 7000
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: <123456789>
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: <Xwormmm>
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: XWorm V5.3
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: USB.exe
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: %AppData%
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack String decryptor: XClient.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003746490.00000000066E0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2500970516.0000000004C9D000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035B6000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.0000000005077000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.00000000050EF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003746490.00000000066E0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2500970516.0000000004C9D000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035B6000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.0000000005077000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.00000000050EF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then jmp 030944FFh 0_2_03094308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then jmp 030944FFh 0_2_03094318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then jmp 03098208h 0_2_03098158
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_03094028
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_03094030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then jmp 030944FFh 0_2_0309458B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4x nop then jmp 03098208h 0_2_03098158
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 04F444FFh 10_2_04F4458B
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_04F44030
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_04F44028
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 04F48208h 10_2_04F48158
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 04F444FFh 10_2_04F44318
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 04F444FFh 10_2_04F44308
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 04F48208h 10_2_04F48158
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 031344FFh 13_2_03134318
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 031344FFh 13_2_03134308
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 03138208h 13_2_03138158
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 03138208h 13_2_03138158
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 13_2_03134030
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 13_2_03134028
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 4x nop then jmp 031344FFh 13_2_0313458B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 91.92.248.52
Yara detected Generic Downloader
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49743 -> 91.92.248.52:7000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sm/Pxgimjrvqqb.wav HTTP/1.1Host: 5.34.182.232Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sm/Pxgimjrvqqb.wav HTTP/1.1Host: 5.34.182.232Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sm/Pxgimjrvqqb.wav HTTP/1.1Host: 5.34.182.232Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: unknown TCP traffic detected without corresponding DNS query: 5.34.182.232
Source: global traffic HTTP traffic detected: GET /sm/Pxgimjrvqqb.wav HTTP/1.1Host: 5.34.182.232Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sm/Pxgimjrvqqb.wav HTTP/1.1Host: 5.34.182.232Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sm/Pxgimjrvqqb.wav HTTP/1.1Host: 5.34.182.232Connection: Keep-Alive
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.0000000003371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.34.182.232
Source: daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.0000000003371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.34.182.232/sm/Pxgimjrvqqb.wav0I
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.34.182.232/sm/Pxgimjrvqqb.wav0I4
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000008.00000002.2108660915.000000000790D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi
Source: powershell.exe, 0000000E.00000002.2263906463.0000000008482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000B.00000002.2155638841.0000000003323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micronq
Source: powershell.exe, 00000008.00000002.2113666085.00000000087F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000000E.00000002.2263906463.0000000008482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoftQ5;
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.2052979000.0000000005766000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2099869250.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2176960211.0000000005E75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2246643853.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000E.00000002.2217132744.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2041601100.0000000004856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2083832437.0000000004F96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2157706414.0000000004F66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2217132744.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000004.00000002.2896982875.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2041601100.0000000004701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2083832437.0000000004E41000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2157706414.0000000004E11000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.0000000003371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2217132744.0000000004B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2041601100.0000000004856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2083832437.0000000004F96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2157706414.0000000004F66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2217132744.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2217132744.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2041601100.0000000004701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2083832437.0000000004E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2157706414.0000000004E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2217132744.0000000004B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000E.00000002.2246643853.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2246643853.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2246643853.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.2217132744.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000005.00000002.2052979000.0000000005766000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2099869250.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2176960211.0000000005E75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2246643853.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, XClient.exe.4.dr, daqfbrlrs.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003027000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.000000000366B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.daqfbrlrs.exe.36db45c.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.daqfbrlrs.exe.36db45c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 16.2.daqfbrlrs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.daqfbrlrs.exe.31693a8.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2466687008.0000000003155000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000002.2554540962.0000000003656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000010.00000002.2496866109.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000002.2554540962.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED2BC0 0_2_02ED2BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED2EF8 0_2_02ED2EF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED1290 0_2_02ED1290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED1968 0_2_02ED1968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED2287 0_2_02ED2287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED2383 0_2_02ED2383
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED2C71 0_2_02ED2C71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED1A16 0_2_02ED1A16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED19AC 0_2_02ED19AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED1958 0_2_02ED1958
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_02ED1EB1 0_2_02ED1EB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309C5D0 0_2_0309C5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03094308 0_2_03094308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03094318 0_2_03094318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03091048 0_2_03091048
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090730 0_2_03090730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309E500 0_2_0309E500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309E510 0_2_0309E510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309054F 0_2_0309054F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309458B 0_2_0309458B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309C5C2 0_2_0309C5C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309049E 0_2_0309049E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090B95 0_2_03090B95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090AE7 0_2_03090AE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090906 0_2_03090906
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090F03 0_2_03090F03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090FB0 0_2_03090FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_03090C46 0_2_03090C46
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_06F7DCD0 0_2_06F7DCD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_06F7F138 0_2_06F7F138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_06F60040 0_2_06F60040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_06F60007 0_2_06F60007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4_2_02CB44F8 4_2_02CB44F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4_2_02CB4AF0 4_2_02CB4AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4_2_02CB1470 4_2_02CB1470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4_2_02CB1A98 4_2_02CB1A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0464B490 5_2_0464B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0464C662 5_2_0464C662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_083C3A98 5_2_083C3A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0348B4A0 8_2_0348B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0348B490 8_2_0348B490
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D72BC0 10_2_02D72BC0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D72EF8 10_2_02D72EF8
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D71290 10_2_02D71290
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D71968 10_2_02D71968
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D72287 10_2_02D72287
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D72383 10_2_02D72383
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D72C71 10_2_02D72C71
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D71A16 10_2_02D71A16
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D719A2 10_2_02D719A2
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D7195C 10_2_02D7195C
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_02D71EB1 10_2_02D71EB1
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4B790 10_2_04F4B790
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4049E 10_2_04F4049E
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4458B 10_2_04F4458B
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4054F 10_2_04F4054F
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4D6D0 10_2_04F4D6D0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4D6BF 10_2_04F4D6BF
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4B780 10_2_04F4B780
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40730 10_2_04F40730
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F41048 10_2_04F41048
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F44318 10_2_04F44318
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F44308 10_2_04F44308
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40C46 10_2_04F40C46
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40FB0 10_2_04F40FB0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40F03 10_2_04F40F03
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40906 10_2_04F40906
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40AE7 10_2_04F40AE7
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F40B95 10_2_04F40B95
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_06D3F138 10_2_06D3F138
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_06D20040 10_2_06D20040
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_06D20007 10_2_06D20007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_0349B490 11_2_0349B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF3E98 11_2_08CF3E98
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313B790 13_2_0313B790
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03134318 13_2_03134318
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03134308 13_2_03134308
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130B95 13_2_03130B95
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130AE7 13_2_03130AE7
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130906 13_2_03130906
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03131048 13_2_03131048
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130F03 13_2_03130F03
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130730 13_2_03130730
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313B780 13_2_0313B780
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130FB0 13_2_03130FB0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313D6BF 13_2_0313D6BF
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313D6D0 13_2_0313D6D0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313054F 13_2_0313054F
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313458B 13_2_0313458B
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_03130C46 13_2_03130C46
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_0313049E 13_2_0313049E
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F2BC0 13_2_031F2BC0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F2EF8 13_2_031F2EF8
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F1290 13_2_031F1290
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F1968 13_2_031F1968
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F2383 13_2_031F2383
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F2287 13_2_031F2287
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F2C71 13_2_031F2C71
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F1A16 13_2_031F1A16
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F195F 13_2_031F195F
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F19A2 13_2_031F19A2
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_031F1EB1 13_2_031F1EB1
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_071FDCD0 13_2_071FDCD0
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_071FF138 13_2_071FF138
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_071E0006 13_2_071E0006
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 13_2_071E0040 13_2_071E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0310B490 14_2_0310B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0310B470 14_2_0310B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_08943A98 14_2_08943A98
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 16_2_02C31AA3 16_2_02C31AA3
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 18_2_00B21470 18_2_00B21470
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 18_2_00B21A99 18_2_00B21A99
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.00000000044D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameJxlpzksea.dll" vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1999338129.0000000005F80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameJxlpzksea.dll" vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameJxlpzksea.dll" vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003658000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003658000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2001211652.0000000006299000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamexlone1.exe< vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003746490.00000000066E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003120000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000000.1622402046.0000000000D62000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexlone1.exe< vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamexlone1.exe< vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000004.00000002.2900642609.0000000005FD9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000004.00000002.2898724949.0000000003EC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamexlone1.exe< vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Binary or memory string: OriginalFilenamexlone1.exe< vs SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.daqfbrlrs.exe.36db45c.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.daqfbrlrs.exe.36db45c.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 16.2.daqfbrlrs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.daqfbrlrs.exe.31693a8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2466687008.0000000003155000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000002.2554540962.0000000003656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000010.00000002.2496866109.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000002.2554540962.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.evad.winEXE@21/24@0/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Mutant created: \Sessions\1\BaseNamedObjects\By9qKt9A8waTk2LI
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File created: C:\Users\user\AppData\Local\Temp\Log.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe ReversingLabs: Detection: 55%
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Virustotal: Detection: 69%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe"
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003746490.00000000066E0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2500970516.0000000004C9D000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035B6000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.0000000005077000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.00000000050EF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003746490.00000000066E0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004DF7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1992545692.0000000004E6F000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2500970516.0000000004C9D000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035B6000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.0000000005077000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2572125164.00000000050EF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.2003229740.0000000006620000.00000004.08000000.00040000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003199000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.6620000.12.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.6620000.12.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.6620000.12.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.6620000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.6620000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.66e0000.13.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e6f6d8.3.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4e1f6b8.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 13.2.daqfbrlrs.exe.53110d8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.3608854.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.65c0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.52e90b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.52e90b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2596900103.0000000007231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2572125164.0000000005257000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2554540962.000000000362B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2002984588.00000000065C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2466687008.0000000003027000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe PID: 6664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 6776, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 0_2_0309E191 push ecx; ret 0_2_0309E194
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Code function: 4_2_02CB54F8 pushfd ; ret 4_2_02CB54F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_046411BD push esp; iretw 5_2_046411D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0464633D push eax; ret 5_2_04646351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_04640B18 push ebp; iretd 5_2_04640B22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_083C6F00 pushad ; retf 5_2_083C6F05
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_03483A8D push ebx; retf 8_2_03483ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_03483A9C push ebx; retf 8_2_03483ADA
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 10_2_04F4C4E0 push es; ret 10_2_04F4C4F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_0349246B push esp; ret 11_2_03492471
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_03492C5C push 04B807C5h; retf 11_2_03492CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF5808 push edx; iretd 11_2_08CF57BE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF5803 push esi; iretd 11_2_08CF5806
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF5801 push esi; iretd 11_2_08CF5802
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF0DAD push es; iretd 11_2_08CF0DAE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF57EC push ebp; iretd 11_2_08CF57EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF57FC push esi; iretd 11_2_08CF57FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_08CF57F0 push esi; iretd 11_2_08CF57FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0310633D push eax; ret 14_2_03106351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0310629D push eax; ret 14_2_03106351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_077D4408 pushfd ; ret 14_2_077D462D
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Code function: 16_2_02C31A99 pushfd ; retf 0002h 16_2_02C31A9A
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File created: C:\Users\user\AppData\Roaming\XClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run daqfbrlrs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run daqfbrlrs Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe PID: 6664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 6776, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1991317996.0000000003247000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000A.00000002.2466687008.0000000003027000.00000004.00000800.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 2E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 3020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 6FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 6D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 2CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 2EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: 2CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 2D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 2ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 4ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 6E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 6540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 3110000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 3370000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 3110000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 7230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 6FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 12A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 2E20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: B20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: 2610000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory allocated: B60000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7568 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2087 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6977 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2771 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8071
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1641
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7349
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2360
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe TID: 6684 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe TID: 6756 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe TID: 6744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe TID: 1904 Thread sleep time: -58000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4928 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884 Thread sleep count: 6977 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884 Thread sleep count: 2771 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2180 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe TID: 1004 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe TID: 5696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe TID: 6684 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1364 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe TID: 4600 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe TID: 4076 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Thread delayed: delay time: 922337203685477
Source: daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: daqfbrlrs.exe, 0000000A.00000002.2463239234.0000000001192000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: daqfbrlrs.exe, 0000000D.00000002.2554540962.00000000035D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000000.00000002.1990879497.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe, 00000004.00000002.2889790795.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, daqfbrlrs.exe, 0000000D.00000002.2547245552.0000000001425000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe'
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory written: C:\Users\user\AppData\Roaming\daqfbrlrs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Memory written: C:\Users\user\AppData\Roaming\daqfbrlrs.exe base: 350000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Process created: C:\Users\user\AppData\Roaming\daqfbrlrs.exe "C:\Users\user\AppData\Roaming\daqfbrlrs.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Users\user\AppData\Roaming\daqfbrlrs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Users\user\AppData\Roaming\daqfbrlrs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Users\user\AppData\Roaming\daqfbrlrs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Users\user\AppData\Roaming\daqfbrlrs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\daqfbrlrs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.5f80000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.5f80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.46f8418.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4720438.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4bd04b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4bd04b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.46f8418.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4720438.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1999338129.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1992545692.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1992545692.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected XWorm
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.36db45c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.36db45c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.daqfbrlrs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.daqfbrlrs.exe.31693a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2466687008.0000000003155000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2554540962.0000000003656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2496866109.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2554540962.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe PID: 6664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 3408, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.5f80000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.5f80000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.46f8418.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4720438.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4bd04b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4bd04b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.46f8418.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.4720438.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1999338129.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1992545692.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1992545692.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected XWorm
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.daqfbrlrs.exe.31693a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.36db45c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.daqfbrlrs.exe.36db45c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.daqfbrlrs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.daqfbrlrs.exe.31693a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe.3390260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2466687008.0000000003155000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1991317996.000000000337B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2554540962.0000000003656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2496866109.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2554540962.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe PID: 6664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 2488, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: daqfbrlrs.exe PID: 3408, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429251 Sample: SecuriteInfo.com.Win32.Rans... Startdate: 21/04/2024 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 15 other signatures 2->57 8 SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe 16 5 2->8         started        13 daqfbrlrs.exe 14 3 2->13         started        15 daqfbrlrs.exe 2->15         started        process3 dnsIp4 49 5.34.182.232, 49733, 49740, 49741 ITLASUA Ukraine 8->49 45 C:\Users\user\AppData\Roaming\daqfbrlrs.exe, PE32 8->45 dropped 63 Bypasses PowerShell execution policy 8->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->65 67 Adds a directory exclusion to Windows Defender 8->67 17 SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe 6 8->17         started        69 Antivirus detection for dropped file 13->69 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 22 daqfbrlrs.exe 13->22         started        75 Injects a PE file into a foreign processes 15->75 24 daqfbrlrs.exe 15->24         started        file5 signatures6 process7 dnsIp8 47 91.92.248.52, 49743, 49745, 49746 THEZONEBG Bulgaria 17->47 43 C:\Users\user\AppData\Roaming\XClient.exe, PE32 17->43 dropped 59 Protects its processes via BreakOnTermination flag 17->59 61 Adds a directory exclusion to Windows Defender 17->61 26 powershell.exe 23 17->26         started        29 powershell.exe 23 17->29         started        31 powershell.exe 17->31         started        33 powershell.exe 17->33         started        file9 signatures10 process11 signatures12 77 Loading BitLocker PowerShell Module 26->77 35 conhost.exe 26->35         started        37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        41 conhost.exe 33->41         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.92.248.52
 unknown Bulgaria
34368 THEZONEBG true
5.34.182.232
 unknown Ukraine
15626 ITLASUA false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://5.34.182.232/sm/Pxgimjrvqqb.wav false unknown
91.92.248.52 true
    		unknown