Windows Analysis Report
DriverUpdt.exe

Overview

General Information

Sample name:	DriverUpdt.exe
Analysis ID:	1465719
MD5:	65485b0475b6c8a3b4f35bba541938a6
SHA1:	28e6e6cd2ebf8a9fdffeb4aeba13b70ea7ea03a3
SHA256:	c6740ee5c8afdc2c7be42fb03ab5a346925efc6ac785fe7d68dec2d5f05d276b
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DriverUpdt.exe

Avira: detected

Antivirus detection for URL or domain

Source: stewiegriffin-37537.portmap.host

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\DriverUpdt

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: DriverUpdt.exe

Malware Configuration Extractor: Xworm {"C2 url": ["stewiegriffin-37537.portmap.host"], "Port": "37537", "Aes key": "37537", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\DriverUpdt

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: DriverUpdt.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\DriverUpdt

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DriverUpdt.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: DriverUpdt.exe	String decryptor: stewiegriffin-37537.portmap.host
Source: DriverUpdt.exe	String decryptor: 37537
Source: DriverUpdt.exe	String decryptor: catfart
Source: DriverUpdt.exe	String decryptor: <Xwormmm>
Source: DriverUpdt.exe	String decryptor: gurry
Source: DriverUpdt.exe	String decryptor: USB.exe
Source: DriverUpdt.exe	String decryptor: %AppData%
Source: DriverUpdt.exe	String decryptor: DriverUpdt

Uses 32bit PE files

Source: DriverUpdt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DriverUpdt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: stewiegriffin-37537.portmap.host

Yara detected Generic Downloader

Source: Yara match	File source: DriverUpdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 193.161.193.99:37537

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: BITREE-ASRU BITREE-ASRU

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: stewiegriffin-37537.portmap.host

Source: powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000005.00000002.2225891671.00000135E1C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 0000000A.00000002.2583865294.0000014E38E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsp
Source: svchost.exe, 00000012.00000002.3276702426.000001BA75A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: DriverUpdt.exe, DriverUpdt.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: DriverUpdt.exe, 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.2385082051.0000019A7EEF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoom/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000012.00000003.2732456791.000001BA75820000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2127592677.0000029C74A39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5mConsumererv
Source: powershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.18.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: DriverUpdt.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F016E9	0_2_00007FF848F016E9
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F06E42	0_2_00007FF848F06E42
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F02361	0_2_00007FF848F02361
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F06096	0_2_00007FF848F06096
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F020C1	0_2_00007FF848F020C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848FF30E9	8_2_00007FF848FF30E9
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F10E5E	16_2_00007FF848F10E5E
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F116E9	16_2_00007FF848F116E9
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F120C1	16_2_00007FF848F120C1
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F10E5E	20_2_00007FF848F10E5E
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F116E9	20_2_00007FF848F116E9
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F120C1	20_2_00007FF848F120C1

Uses 32bit PE files

Source: DriverUpdt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: DriverUpdt.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: DriverUpdt.exe, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.0.dr, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: DriverUpdt.exe, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	Base64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
Source: DriverUpdt.exe, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	Base64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Base64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	Base64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
Source: DriverUpdt.0.dr, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	Base64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
Source: DriverUpdt.0.dr, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	Base64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Base64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	Base64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	Base64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	Base64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Base64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	Base64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'

Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/25@2/3

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\DriverUpdt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Mutant created: NULL
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Users\user\Desktop\DriverUpdt.exe	Mutant created: \Sessions\1\BaseNamedObjects\4fPEH1k67YijypJe
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: DriverUpdt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DriverUpdt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\DriverUpdt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DriverUpdt.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DriverUpdt.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\DriverUpdt.exe

File read: C:\Users\user\Desktop\DriverUpdt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DriverUpdt.exe "C:\Users\user\Desktop\DriverUpdt.exe"
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"	Jump to behavior

Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\DriverUpdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: DriverUpdt.lnk.0.dr

LNK file: ..\..\..\..\..\DriverUpdt

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DriverUpdt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DriverUpdt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F000BD pushad ; iretd	0_2_00007FF848F000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E0D2A5 pushad ; iretd	2_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F20DA0 pushad ; retf	2_2_00007FF848F20E0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F200BD pushad ; iretd	2_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848DED2A5 pushad ; iretd	5_2_00007FF848DED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F000BD pushad ; iretd	5_2_00007FF848F000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848E0D2A5 pushad ; iretd	8_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F2B9FA push E85A2FD7h; ret	8_2_00007FF848F2BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F200BD pushad ; iretd	8_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848E0D2A5 pushad ; iretd	10_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F200BD pushad ; iretd	10_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F100BD pushad ; iretd	16_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F100BD pushad ; iretd	20_2_00007FF848F100C1

Source: DriverUpdt.exe, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.cs	High entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
Source: DriverUpdt.exe, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.cs	High entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
Source: DriverUpdt.exe, ItGbRSbZFa55CcXB.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
Source: DriverUpdt.exe, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	High entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
Source: DriverUpdt.exe, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.cs	High entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
Source: DriverUpdt.exe, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	High entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	High entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	High entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	High entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
Source: DriverUpdt.exe, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.cs	High entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
Source: DriverUpdt.0.dr, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.cs	High entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
Source: DriverUpdt.0.dr, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.cs	High entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
Source: DriverUpdt.0.dr, ItGbRSbZFa55CcXB.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
Source: DriverUpdt.0.dr, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	High entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
Source: DriverUpdt.0.dr, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.cs	High entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
Source: DriverUpdt.0.dr, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	High entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	High entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	High entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	High entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
Source: DriverUpdt.0.dr, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.cs	High entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.cs	High entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.cs	High entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, ItGbRSbZFa55CcXB.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	High entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.cs	High entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	High entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	High entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	High entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	High entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.cs	High entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'

Drops PE files

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\DriverUpdt

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\DriverUpdt

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk

Jump to behavior

Source: C:\Users\user\Desktop\DriverUpdt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverUpdt			Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverUpdt			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DriverUpdt.exe, DriverUpdt.0.dr

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Memory allocated: 1AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: 1A570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: 1AB30000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Window / User API: threadDelayed 9392	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Window / User API: threadDelayed 448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5557	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4271	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7311	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2296	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6006	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3616	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6616
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3117

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DriverUpdt.exe TID: 7080	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1680	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044	Thread sleep count: 6006 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044	Thread sleep count: 3616 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep count: 6616 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 3117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Roaming\DriverUpdt TID: 5948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1964	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\DriverUpdt TID: 2576	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DriverUpdt.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DriverUpdt	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\DriverUpdt	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\DriverUpdt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477

Source: DriverUpdt.0.dr	Binary or memory string: vmware
Source: svchost.exe, 00000012.00000002.3277939813.000001BA75A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3277339892.000001BA75A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3273129280.000001BA7042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\DriverUpdt.exe

Code function: 0_2_00007FF848F0764A CheckRemoteDebuggerPresent,

0_2_00007FF848F0764A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DriverUpdt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DriverUpdt.exe	Queries volume information: C:\Users\user\Desktop\DriverUpdt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Queries volume information: C:\Users\user\AppData\Roaming\DriverUpdt VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Queries volume information: C:\Users\user\AppData\Roaming\DriverUpdt VolumeInformation

Source: C:\Users\user\Desktop\DriverUpdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEA2000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEEC000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3313153105.000000001BF04000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3313153105.000000001BF3F000.00000004.00000020.00020000.00000000.sdmp, DriverUpdt.exe, 00000000.00000002.3272706936.0000000001415000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: DriverUpdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DriverUpdt.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: DriverUpdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DriverUpdt.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
193.161.193.99	stewiegriffin-37537.portmap.host	Russian Federation		198134	BITREE-ASRU	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
stewiegriffin-37537.portmap.host	193.161.193.99	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stewiegriffin-37537.portmap.host	true	Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DriverUpdt.exe

Avira: detected

Antivirus detection for URL or domain

Source: stewiegriffin-37537.portmap.host

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\DriverUpdt

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: DriverUpdt.exe

Malware Configuration Extractor: Xworm {"C2 url": ["stewiegriffin-37537.portmap.host"], "Port": "37537", "Aes key": "37537", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\DriverUpdt

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: DriverUpdt.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\DriverUpdt

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DriverUpdt.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: DriverUpdt.exe	String decryptor: stewiegriffin-37537.portmap.host
Source: DriverUpdt.exe	String decryptor: 37537
Source: DriverUpdt.exe	String decryptor: catfart
Source: DriverUpdt.exe	String decryptor: <Xwormmm>
Source: DriverUpdt.exe	String decryptor: gurry
Source: DriverUpdt.exe	String decryptor: USB.exe
Source: DriverUpdt.exe	String decryptor: %AppData%
Source: DriverUpdt.exe	String decryptor: DriverUpdt

Uses 32bit PE files

Source: DriverUpdt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DriverUpdt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: stewiegriffin-37537.portmap.host

Yara detected Generic Downloader

Source: Yara match	File source: DriverUpdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 193.161.193.99:37537

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: BITREE-ASRU BITREE-ASRU

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: stewiegriffin-37537.portmap.host

Source: powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.2227719144.00000135E1DF5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000005.00000002.2225891671.00000135E1C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 0000000A.00000002.2583865294.0000014E38E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsp
Source: svchost.exe, 00000012.00000002.3276702426.000001BA75A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: DriverUpdt.exe, DriverUpdt.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: DriverUpdt.exe, 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C98B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A66AA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.2385082051.0000019A7EEF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 0000000A.00000002.2586638323.0000014E39008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoom/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
Source: powershell.exe, 00000002.00000002.2102983893.0000029C5C331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2153166994.00000135C9691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2265756719.0000019A666F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2418918680.0000014E20711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000012.00000003.2732456791.000001BA75820000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000000A.00000002.2418918680.0000014E2093A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2127592677.0000029C74A39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5mConsumererv
Source: powershell.exe, 00000002.00000002.2119512647.0000029C6C39F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2209288191.00000135D96FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2359742614.0000019A7675F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2552881667.0000014E3077E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.18.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: DriverUpdt.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F016E9	0_2_00007FF848F016E9
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F06E42	0_2_00007FF848F06E42
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F02361	0_2_00007FF848F02361
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F06096	0_2_00007FF848F06096
Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F020C1	0_2_00007FF848F020C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848FF30E9	8_2_00007FF848FF30E9
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F10E5E	16_2_00007FF848F10E5E
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F116E9	16_2_00007FF848F116E9
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F120C1	16_2_00007FF848F120C1
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F10E5E	20_2_00007FF848F10E5E
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F116E9	20_2_00007FF848F116E9
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F120C1	20_2_00007FF848F120C1

Uses 32bit PE files

Source: DriverUpdt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: DriverUpdt.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: DriverUpdt.exe, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.0.dr, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, rUq6Jc02GU46qh62C4zZA7O1E0dXcVGvvO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: DriverUpdt.exe, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	Base64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
Source: DriverUpdt.exe, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	Base64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Base64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	Base64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
Source: DriverUpdt.0.dr, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	Base64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
Source: DriverUpdt.0.dr, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	Base64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Base64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	Base64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	Base64 encoded string: 'Wzyx3ogwisD56ZHkeZYkSrNpO3P9J9Ya4nyydoyDoMhqYbxKcIuCBE6nN3TYLZ2YGky5qwMVXBL9OzBj6saB', 'pEkzOAOMKFgZeEjnqyOdb2Nj9rg4fsl4Zisct4e8rZI8GpWTmVRpZXVefi66KO0FkTsZhrE3OUXpJalOj9B4', 'lGz07EJSsiEZHWKf405VC86ML0pFtcYa9DnDdlCrv8J198USUtFcC4ga0h6D3ane7yoXgP11tbBX4iDkUJeS', 'uzJDSqDxIrlZJqgOgwwy02Dz2doW9zNtgu1RZfT5wLgCGy8fQt7HHJ5u3k7cpPtrQjj193zWKo4RHGr1PzX7', 'kqsk7TjkQbOMRQH2P9ywEPNbF2r2incAMN3K1h9sJhx31ygvXxpPnN8wj2WFZsTUvvige5ObtRYEs6EG9D5d', 'P3jsV4lZMIEXKaHtWScW7lMfH1M7bVzOGpyPzhtflSe30EwumuBRdb6vTpfKTXnCs0EyLA83RPn8nmd7hA8r', 'k4IiQb8aZFjA4MsRFkE6P0TsgsiT9f6t02Ntz9sOgXWs0Nq6T70LKbhfkD5ShI8LUSrbaaQww9YO7IZrSXnF', 'xvJbDZCgm7lSnBhfxWOa8zS4w0526chcn7corNxa5cWF1mWYKadtQLF52nm6cGvwuyZd0azWMYzWeLS9lcev', 'Kj3Vb6PzHn9v07t3S0MWBznTXF1PkRT8IPHe7b7iUzNIQpLOGQIuf7Qw6sSjOHLy50aTBV6HbQz1FEQxMDre', 'QKbzE0YySm8lR0erhsq4rtsTMCTOH8uWKlTWQEr6qzkkxB0tXX13kESSZQ0TzkUiVIYEu9h6AFhoAozuHLGP'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	Base64 encoded string: 'uJIvKPRumgeUE7Cj6DUpv9OS9X3euISjlVu8QNQtltUm2IG3Y0JmlsPYPr5ci66SF5osCsrOnJPEtcePD1G1', 'XeZ2r4uLure0d6onZjoTUSlru3HjQ20XzQZ05KOuHMRAI6ctSnZGwEZJRRG3M7UxX1RD9uBRKZCu43NqpXe9'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Base64 encoded string: 'RjaJGu3nFKjVX0HwnYwB9ectK5a6EyZDqeBpbfJVcWXzgU7cxwmplntKZbqu70u0hbw0FnnivfvskcF74o3X', 'IvZAem83h4vgpUmTHT5k0SVSUCWlugncvsAt7ObcW3MuzF5eUytFamzZuiXrAub6g02Vm5QmfvQ2cwbqj4la', 'JehyPCnBuflDs2d0ZYefcjO4JfBTQCC4HLKDhjmywyJhsaF0ReTf1GJEjxEzRWayaHAHaLzPSew8mvgAY6FW'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	Base64 encoded string: 'QgYbC2WdwKektmrwVSQXk6yB1NWvPEcjEeToyahhlq2wGd2keQrLxcDZTSUuhiqBwcodSszv1cFVZTcbLUYG', 'LOItW6SfTfvWaylwjhr8yEPSu2oJNoipfHWhndegtyONdycme84WEpTTBJJRvJ2U0rJMqbypLQZqriyuT7ZF', 't4S9tOQRYlNxhhE3lGaEFj9w0rrpGEgUSTZZoE66qxJZ7b8bKsn3G7Mt5X3S0ek8qgwVxv0K2Nh0JtU10dzU', 'Gr0dgRT9Isqyej2OaWxQTnFzKcx1kBFZ5uOIm80jhCWNMjPhceWcm9NnYdffK4fsEtvcysr7sg1JiNCeAf8F', 'NlazytOCkJxJwpVPk1IrAOFlMhiOhspVn63UIEtpMtwhm3FYRAiovb3P0X46ChDgHL0EIk7IlbjJnl1lAeS7', 'NUuBK0NmuFzZbbySSf5FK8kHSSZm0lufbsLrlhDw5HpjaxmbDuT0LtPUl0dFcrMkO9oaw5pmkxmCP9GSEUPg', 'hiHZ8Pnec7U0fALizQIaJmM6g8cZwU9aRArhJKGki3eSsi1UsFEfwmhnDyDHSgK1m4pfZlBfNclcdrv7bGOQ', 'tMDOOGYeG5UTwVFxUwxNGqt9UgalFlhCPr2mz5FNJOQTPvRS97rqk0cdnmliTYB2t7MMupqVM3IJOmtdq0Y7', 'rirOR0AtWALUZeGM2S5EWjWocdeAroBLyFZ79l6Q2bnUw3TvKnxQ0OvfPOdvMFlZbOQj5fQM5duB2nBRcjaB'

Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/25@2/3

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\DriverUpdt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Mutant created: NULL
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Users\user\Desktop\DriverUpdt.exe	Mutant created: \Sessions\1\BaseNamedObjects\4fPEH1k67YijypJe
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: DriverUpdt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DriverUpdt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\DriverUpdt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DriverUpdt.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DriverUpdt.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\DriverUpdt.exe

File read: C:\Users\user\Desktop\DriverUpdt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DriverUpdt.exe "C:\Users\user\Desktop\DriverUpdt.exe"
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DriverUpdt C:\Users\user\AppData\Roaming\DriverUpdt
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"	Jump to behavior

Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\DriverUpdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: DriverUpdt.lnk.0.dr

LNK file: ..\..\..\..\..\DriverUpdt

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DriverUpdt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DriverUpdt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.kXvcjdmVY4zjRWVFXC3lBrUcBHK4LAN0d47tJ5k2LEuQI0mzt,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.xlbB3IbMaqdUb2n0f0CvPr61P2Uptm2pFO2H7q1xFeivbGFh0,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.KoNhKT39GT3lTIAfnbUdSyhuO0g2ooVUvR5NzfWgg3mVI2B2w,ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.Xvf6QwUCtc6L1cEQe7heHcbBSCrayGp1BvJwaxebNPVDIH7VA,NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.hjZApXRfz1grdXI3WWGkQZSNuyC952qG2G()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2],NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.kLWkQWPCFdYmVqccyS5xT7N08VG3zFjVGo(Convert.FromBase64String(HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HnOI27tkAMX6BEYQ5c0dCqgg9gwbEKNpxj[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h System.AppDomain.Load(byte[])
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM System.AppDomain.Load(byte[])
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	.Net Code: wiXI9ZeBaRPpjQ8CLnKLl1DIpheP6IkVK8A66QkxgTDLdoWbM

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Code function: 0_2_00007FF848F000BD pushad ; iretd	0_2_00007FF848F000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E0D2A5 pushad ; iretd	2_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F20DA0 pushad ; retf	2_2_00007FF848F20E0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F200BD pushad ; iretd	2_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848DED2A5 pushad ; iretd	5_2_00007FF848DED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848F000BD pushad ; iretd	5_2_00007FF848F000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848E0D2A5 pushad ; iretd	8_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F2B9FA push E85A2FD7h; ret	8_2_00007FF848F2BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848F200BD pushad ; iretd	8_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848E0D2A5 pushad ; iretd	10_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848F200BD pushad ; iretd	10_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 16_2_00007FF848F100BD pushad ; iretd	16_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Code function: 20_2_00007FF848F100BD pushad ; iretd	20_2_00007FF848F100C1

Source: DriverUpdt.exe, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.cs	High entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
Source: DriverUpdt.exe, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.cs	High entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
Source: DriverUpdt.exe, ItGbRSbZFa55CcXB.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
Source: DriverUpdt.exe, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	High entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
Source: DriverUpdt.exe, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.cs	High entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
Source: DriverUpdt.exe, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	High entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
Source: DriverUpdt.exe, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	High entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
Source: DriverUpdt.exe, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	High entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
Source: DriverUpdt.exe, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	High entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
Source: DriverUpdt.exe, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.cs	High entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
Source: DriverUpdt.0.dr, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.cs	High entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
Source: DriverUpdt.0.dr, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.cs	High entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
Source: DriverUpdt.0.dr, ItGbRSbZFa55CcXB.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
Source: DriverUpdt.0.dr, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	High entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
Source: DriverUpdt.0.dr, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.cs	High entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
Source: DriverUpdt.0.dr, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	High entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
Source: DriverUpdt.0.dr, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	High entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
Source: DriverUpdt.0.dr, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	High entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
Source: DriverUpdt.0.dr, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	High entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
Source: DriverUpdt.0.dr, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.cs	High entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 0f5wN5iaksWJx8oMfJnXxCNtYs1IH8rt9K.cs	High entropy of concatenated method names: 'opDBjU1PODJbkaegdOB16WOFLY3mQwEdEl', 'a8JZBv7fLLr1RdVHhT7X73eC6HVDEuyzz5', '_0b9JnZEwICj7AGlBNURRztqML9SXeOZXL7', 'ATm6kN4FZHBZVfWhdbiVl10mjT', 'VD7JRi8WA6tNsZYOCrtsYfuvZV', '_55RVfoVYvecnmerTVPbxQt16vz', 'fW22Fiwx3IERa8JUW4qOSSwnFO', 'QPB9P6GSY9LK8xuIoVRml4j6MF', 'gzqTCi4f8OAhTPJItNGigaUu0T', 'XpA5SrtJGG2wBuUMwtKaY0RP2E'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, ZNHrNvFD9ZobwV38ubTReWLeO8bnAumccihqlfuYjWyldAumT.cs	High entropy of concatenated method names: 'avahQgg4hRxzX9sWEUVQHLXmMpxnnFQiZAhATcEne8jNC3GaHS6apCiUPFDRZ2tiMU', 'iiFlDfMB5MyGNa4QvvKZTieUzrznlepuhAftVwpjHqQyaIbiUMOa0yDQeLU5ZDvfvt', 'jSKnBOXrdi9UB1TQioMoUO8q6XAJicBEgFkb8UwhJy2Q2On2QORUreQXzhgeuvAnUh', 'MUGBiOpCAZALg18jYxbZem3mEJnIrJwCh5qELe8nZUzaT18guOceKdRTXNILt3qGh4'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, ItGbRSbZFa55CcXB.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_0Love8mNF6aQdUOwBy38dDjl1YTHDjVbSbOLcprgBKwiaR9GQJqhsr24QGQFBc7oR5', '_5CSekGcVzZeoXZVENEqxcwNMvwPPZKiVqsUftGWbLqoK0sGqe9F3gVvJh1EQlCCqY4', 'Ht267XslWyBGNwGKM8CnIlTTlhouBGyJmbW8Udltu3AppwidYGJJMEneGlGyg7L0u0', 'KWl0mfZs0Dl0gfgooBpj0tseVrhreDSUzs9bW3ppX0z5NFwdu7aM7NIm4QF3v9wRy3'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, Rh46SGTJYh5nC7MsPl2FieEVPZw16o7SqK.cs	High entropy of concatenated method names: 'APq8HycpkPPjuDvi1sU0rjrQUmaVP3ID5K', 'UAc4yzzQ0GHVyuqxYwn0WWNqNW5YVXEX1T', '_7GJx3tULSMI6DNglNBPRFZnT7FpG6XxC24', 'oNjeO3ZFk0i7KeWtYzLT6DEYzx5EIl1Skx', 'Hivj6AHvQE9Mw9dvVggOg6jXbqNcPsJN8t', 'suBZaleEhn3iSaelJmGDY5DltNl5Tewq00', 'VDkCCL325lQjGKNJKk7TBL2Udz2oezOxb9', '_0YZbHdatVdNEN8nbiS8yT54eVWO30E8DWa', 'lp9NjEbIPxs9pF55qE3jVLzvblspVcvmaH', 'UhWxUNDlFThOwjYPG0l0acHFr5NePqj52e'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, IxmT2WkPyORcZnISbnQeQ4J3xaAS3FBXxGK6ZtWktXuanuHSX.cs	High entropy of concatenated method names: 'BLM3rzpZtmjMMu9ZsUHeoVBJXmNvFTRdmUqRb7gYZvnQ023Cc', 'nh3KsCg04VCVMQzVX4yaL58h78ZCZR8yeuPao0ZRQAzQQfuhq', 'NSMkFOzg0rZ6YqpPV3jZhKbGaQFdPWF29l6I6P5YFrOgeKbV8', 'qs9Wu1E0FPVMQycOn1HJaAUJedRWZGda7UWzDgSkpWktqMZgy', 'QGfHhiirzqTpJFc5NkDUvgJg31bxC7yQtXexVJne2avAwOXKL', 'srbGpOt4IdjtvS1TwXRlvnc4c4gMPvIdCsO2p4tYzwPFtKHXP', '_3R8LTyvp37xGDVBNwmZfDvT0LDKI8CQ47hU8sbKhfmLlIZKVY', 'KrQ81CshIb95AY55FoK2Ee1LRHguA1kYew6tgd9j5l5CANh0s', '_80T3zQuCLmB5ehw5g8EaUt5gzDf0cydzCZVGIXQu9VyAEKVE0', 'lwJG5dNm7w2PzL4a9SPA0hMi69md5pEaJwj1OuoGCf6fCECxc'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, 2uBhJ8fSv8l0pNFJnFq2SeR3AXe9pdtb8Z.cs	High entropy of concatenated method names: 'Mdt9l9R8TF7ur7Pv30sF3z8cCt5ncWgSUS', '_70nnctB0EBs6NssjjTsDMAAfcZ4iiAEHaKkdAz63u5sgFONvGoKYnEmvZ5kohXRXUz207sWNz3P5dlDx9Qoo', 'olVlEttCG0PtcKVJ8QXyt4BxeUf13GiNneDO1Ctkq1AIuJ4jSloNmWQLAFcjbp6aLg3WjEOqU8zoAegrngbA', 'wrAbldAE7kHEx7Kx4FEe3dRz4nBQPFr3j0wvR6guJ9wnN4TTAfdOIU7cMx35Pohmhy8fRwMzE86QOEJ0V5ax', 'FXknOpZ2o73XPQpP4mWAElExaLv4JJSMQlVlXT1MA9uK3rCo7i2DNomtuzlFOQCjOIXboCjQ1fNpJeyi5KAF'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, e95G2DjFXzv6C0eArUQts1cNIeQlL39BGnN7z8xoz5lRERj07.cs	High entropy of concatenated method names: 'ikzeM2JjEiTZLrO4eUCXFnU3WhiotWH5eWDkWpRierwdr2jWl', 'YsZjJgGxZhrccUsYXC98oaLNoqPds9pMA56yCOIGchvARkPK3', '_9qYRdciTZi8i7BmpK0OOQJbLuUfk0z6ikVdYd1DyqBjlzB5Vx', 'xjT7ceg8SwwL3sI8Prh56VIZ0ES3HiNdmbcU8Cm75DFqlG2OS', 'ttlJyRRizCsAKjUHv21YMfaAgQrItnUt936IpaaS0IWCuuL79', '_7lBB1vY9590PUwREPO2XQ9Ta2N4rUi5ZXMjenqB87tjDhYrpf', 'Gv9IXoYTxUOMuYnNNc8bmf2rD4vZWhXeT8NBsI5cfmsvPkd9T', 'yBGjAMx4IrJ4aBRYYrLAGIaGfZ84WjDxBONjZCVTj7f3O6dzv', 'Inhu2x7FoMBVe9FuhOGNS6bRyCxJrr4oKyVkAtDg2IcXXlICq', 'Vb2OtZ2mFtvBXdxk6W24bVlMj4TR0t2hjt8ZveELUelgwbLWo'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, cAzqzAvd3bxf9n3F3HaWLzB2xJOXRxGRVOHOGdKnuAZ66nxtm.cs	High entropy of concatenated method names: 'ildmhkmnbomr0mhRclue73B4mqDqfe2JCONbWZi8jSg3MtK5L', 'nVAtaQnZ6l6nBm3lJhzBnKxeTFQmUXn7zcx5uYC0wgSdqcy9h', 'eBRTBiiKlaBa0nndhupVEfasKgyUQgsIYVjXrOAxWRHbx97Yy', 'xDDAcd24X0UM0InsZAzkXyNlZC0y1oxxZs08YSlDl5W7voDP9', '_9x3bq69WpSh2QEbPgy13f3Thf8mb07YJXQtTgORxCaKVouQ7r', 'DRBpVHXHuIDdraLjtTW3ud5dBP9RMkpv0ICIvukFEz8OdD914', 'Cm1g9Xqe6mvRnFJHFdCeAoPaFcp8RFYtH4OyMNAh2ZrNktAKB', 'zycGKiBG1PdklsIFy5rda165WUVvnKSgGnjiWxqJMhFCyfF6L', 'lLd9DKzpQ9cOwBL2Cqz03ESn4JJdLZlGGegBMZAEgRLcpbTLz', 'qEejvT4kIexfScEWiaTm5ayBpThzE6FSO130Sq9CSehtYMKy0'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, NV31X1ToxhOFhVuWPZSu670P9wPGjQJEsv.cs	High entropy of concatenated method names: 'j70LpoWliDlcDxqBLr7QPUVmRwzEZZSB5Q', 'XjyxFp9w2yxFP7yagokte9Txm6vSpEwZvu', 'xsIANs6XzK9V9g4bVJ7oYf2yaC2F6Zdoui', 'SCYpS2v9ZMrHbvPKUkLCFTdqvJwrWL6UIq', 'Gn3LPYcAEH4fT4FDq0lYO2pqy1ZyTAMzHJ', 'wqOdlSLJYxuGSGNkBiX4qpJaeYvgLOEtyT', 'YPaFf6ag4KSOtFiZYcsP8kSHEABZbUeg0Y', 'W5kNoQ1Lru1E9kA2mBElGDjEiNqtw2kYzY', 'Fg7NzeJUpyCxTbjekUC33MYJZYr1kYncAM', 'JPViTqXldagtsTNADEBTIiJu1dzXJmcJ3g'
Source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, wOOq5bB92Ba7ooz2WkCQzTmIBUxVaDWziB.cs	High entropy of concatenated method names: 'R4qUnPzsX0NNtkNpbJLbOefCNgIn8Khuyn', 'wJMZ8oQvfLskpob9at41iUQcenI8WcFxS1', 'JDj0bhNXMA4oVfZMP8tr1xDpOnCEknUWCj', 'VSLvHoxKCl8UT61ZJzsYVNx0hIvaK5Draj', '_88qow1UlAh03CWPLgNcWynEtzl', 'clcGaDtaQDW3m5zqoXpsOYFE0S', '_652Oz4ZQx0IEy53L0DdCU8bVhA', 'MV4RQrPbq6IgaySoRPKtxrBaex', 'TDpTfW2S1YbyGXkCojqO0lNSsq', 'joZe4kEAR1UlntbknsLA6l9pCX'

Drops PE files

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\DriverUpdt

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\DriverUpdt

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\DriverUpdt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk

Jump to behavior

Source: C:\Users\user\Desktop\DriverUpdt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverUpdt			Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverUpdt			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DriverUpdt.exe, DriverUpdt.0.dr

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Memory allocated: 1AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: 1A570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Memory allocated: 1AB30000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Window / User API: threadDelayed 9392	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Window / User API: threadDelayed 448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5557	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4271	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7311	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2296	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6006	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3616	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6616
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3117

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DriverUpdt.exe TID: 7080	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1680	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044	Thread sleep count: 6006 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044	Thread sleep count: 3616 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep count: 6616 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 3117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Roaming\DriverUpdt TID: 5948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1964	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\DriverUpdt TID: 2576	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DriverUpdt.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DriverUpdt	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\DriverUpdt	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\DriverUpdt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Thread delayed: delay time: 922337203685477

Source: DriverUpdt.0.dr	Binary or memory string: vmware
Source: svchost.exe, 00000012.00000002.3277939813.000001BA75A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3277339892.000001BA75A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3273129280.000001BA7042B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DriverUpdt.exe, 00000000.00000002.3313153105.000000001BEA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\DriverUpdt.exe

Code function: 0_2_00007FF848F0764A CheckRemoteDebuggerPresent,

0_2_00007FF848F0764A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DriverUpdt.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DriverUpdt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\DriverUpdt.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DriverUpdt'	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DriverUpdt" /tr "C:\Users\user\AppData\Roaming\DriverUpdt"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DriverUpdt.exe	Queries volume information: C:\Users\user\Desktop\DriverUpdt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DriverUpdt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Queries volume information: C:\Users\user\AppData\Roaming\DriverUpdt VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\DriverUpdt	Queries volume information: C:\Users\user\AppData\Roaming\DriverUpdt VolumeInformation

Source: C:\Users\user\Desktop\DriverUpdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\DriverUpdt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: DriverUpdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DriverUpdt.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: DriverUpdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DriverUpdt.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DriverUpdt.exe.12ff1a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3310295199.0000000012FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026730895.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3278221040.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DriverUpdt.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\DriverUpdt, type: DROPPED

ID:	1465719
Product:	CloudBasic
Start time:	00:32:53
Start date:	02.07.2024
Sample:	DriverUpdt.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	65485b0475b6c8a3b4f35bba541938a6
SHA1:	28e6e6cd2ebf8a9fdffeb4aeba13b70ea7ea03a3
SHA256:	c6740ee5c8afdc2c7be42fb03ab5a346925efc6ac785fe7d68dec2d5f05d276b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	37EA4D4C095492AB5D976770EED6337E	E30445DA165D07A0143C9F655CE92E1A39BFE94A	80DEBE333007A8E504D902BF9D0DD56C23EED5FE1896A70241530D8D0CEFEE8A
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x7693279d, page size 16384, DirtyShutdown, Windows version 10.0	440120B60582CFACAF0BD49823FF4094	10332A44BCBB3CA8D019A3110F79CCF88F83A49A	5209D5563A272C96AA4580DDCCC38581D30AC2203D1EB85DBAFEAF1A250DC8E7
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	OpenPGP Secret Key	29454DA74EDCF276550237745DAF0477	A3DA122C6DD000BE16A309F6952C6A6292F99FF7	4C174535E64691CBF8F73DC8BBDF952FA9C4215512CF5B18F318AFE95D4935E1
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverUpdt.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\Log.tmp	Generic INItialization configuration [WIN]	DE63D53293EBACE29F3F54832D739D40	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02jsdgny.q2t.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12zc25uq.q0f.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vnoaoms.u4z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jl1nfem.5qp.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emyiijh0.i5e.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikfhwfho.3vz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqud4z3t.4pq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jh2xp0ln.q4v.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lszxbovc.ozj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjisagsy.crl.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl32vdvz.p3a.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4c410in.jwt.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzsdp5rh.00h.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3f3g5r3.poz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vknoxv4m.pv1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzycsrnx.ae2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\DriverUpdt	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	65485B0475B6C8A3B4F35BBA541938A6	28E6E6CD2EBF8A9FDFFEB4AEBA13B70EA7EA03A3	C6740EE5C8AFDC2C7BE42FB03AB5A346925EFC6AC785FE7D68DEC2D5F05D276B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DriverUpdt.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 21:34:39 2024, mtime=Mon Jul 1 21:34:39 2024, atime=Mon Jul 1 21:34:39 2024, length=86528, window=hide	B28360C3527ACFAE4AFAF4F032A823C1	ACADBD3FD5486B0877514B229D0A6E50BE97D46B	35149B831F74E6ACC19D3F820A24D65364AED40C0A260E04EA80DF0A3DCAD264
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report
DriverUpdt.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report DriverUpdt.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
DriverUpdt.exe

Malware Threat Intel
Provided by