Windows Analysis Report
UH7iNNKgPW.exe

Overview

General Information

Sample name:	UH7iNNKgPW.exe renamed because original name is a hash value
Original sample name:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7.exe
Analysis ID:	1561583
MD5:	f01ac0aa6cfa3465c7a940f9a1fac989
SHA1:	a04194eee58ce77420a4d38e0db26d1016e30df1
SHA256:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UH7iNNKgPW.exe

Avira: detected

Antivirus detection for URL or domain

Source: plant-serial.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "plant-serial.gl.at.ply.gg", "147.185.221.18"], "Port": 28000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: UH7iNNKgPW.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UH7iNNKgPW.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: 127.0.0.1,plant-serial.gl.at.ply.gg,147.185.221.18
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: 28000
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: <123456789>
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: <Xwormmm>
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: XWorm V5.2
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: USB.exe
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: %Public%
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: system user

Uses 32bit PE files

Source: UH7iNNKgPW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UH7iNNKgPW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: plant-serial.gl.at.ply.gg
Source: Malware configuration extractor	URLs: 147.185.221.18

Yara detected Generic Downloader

Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2266366897.0000018C666FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34898505	4_2_00007FFD34898505
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34898E05	4_2_00007FFD34898E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34892785	4_2_00007FFD34892785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34964031	4_2_00007FFD34964031
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348B8E05	6_2_00007FFD348B8E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348B2785	6_2_00007FFD348B2785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD349839D1	6_2_00007FFD349839D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD349830E9	6_2_00007FFD349830E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348AB9FA	10_2_00007FFD348AB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348A5EFA	10_2_00007FFD348A5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348A8EFA	10_2_00007FFD348A8EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD34972E11	10_2_00007FFD34972E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A25ED	14_2_00007FFD348A25ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A89F2	14_2_00007FFD348A89F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A5BFA	14_2_00007FFD348A5BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A5B80	14_2_00007FFD348A5B80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3497332B	14_2_00007FFD3497332B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD349830E9	17_2_00007FFD349830E9

Sample file is different than original file name gathered from version info

Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameADWASl.exe4 vs UH7iNNKgPW.exe

Uses 32bit PE files

Source: UH7iNNKgPW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: UH7iNNKgPW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UH7iNNKgPW.exe, XEzSZgHCvRU6PIyyVykcAoQt2wN8F3qN55AqJmuSAn9IC182lR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, bh7l0j4xfyFFiqWrV16LaYUHH1r7OE1hOyUvzHKQwLQZNAKauYR1fO6QuHKR7w1YbY7VUbCu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: KUPAL.exe.0.dr, 0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.cs	Base64 encoded string: 'kNiYaE/ny3jmmYIBwtyZPjJPbuznt9OawWXkTsR9qA+BlqrnPCkdj99mEAl+sE3S'
Source: ADWASl.exe.0.dr, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: ADWASl.exe.0.dr, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: ADWASl.exe.0.dr, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: ADWASl.exe.0.dr, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: ADWASl.exe.0.dr, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: ADWASl.exe.0.dr, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'

Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/36@1/1

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File created: C:\Users\user\AppData\Roaming\KUPAL.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Mutant created: \Sessions\1\BaseNamedObjects\mUneoSv3FUAeQ4a2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Mutant created: \Sessions\1\BaseNamedObjects\t1DChNHd6c9Qof0cr
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Mutant created: \Sessions\1\BaseNamedObjects\WEoEbM8OdImCc10z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyeksvtm.nqj.ps1

Jump to behavior

Source: UH7iNNKgPW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UH7iNNKgPW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UH7iNNKgPW.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\UH7iNNKgPW.exe "C:\Users\user\Desktop\UH7iNNKgPW.exe"
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UH7iNNKgPW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UH7iNNKgPW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.PhuOSqiW3h3VaUPTbztuOw8rPFphC7RomB1mumCb,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.rburoukbazQFJTDNfC5dFQImPdItBxK06mfocpdR,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.IzcbDKfDunVXRnLq4y8oBftwUo0m7N8hWKrUODe1,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.QY25jgyPTI68XbEPwIDfmWwSv1m3fYVJkwr8muqM,fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.amvGhdGvyeGb46m()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[2],fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.IBAFke1hf7vKohL(Convert.FromBase64String(K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: VmEQYJZAGyfXfaKDBbzrpoyLQpeh8o7VhJ6Yweo5 System.AppDomain.Load(byte[])
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: aEUO6QbOpPJ85zBVSK067WLzI6gUn0OMKbH0olJwMZnd30qPgTWmQZ2qVQ8R9Uu1tU2NdtVU System.AppDomain.Load(byte[])
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: aEUO6QbOpPJ85zBVSK067WLzI6gUn0OMKbH0olJwMZnd30qPgTWmQZ2qVQ8R9Uu1tU2NdtVU
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3477D2A5 pushad ; iretd	4_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD3479D2A5 pushad ; iretd	6_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD3478D2A5 pushad ; iretd	10_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3478D2A5 pushad ; iretd	14_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3497050C push ds; iretd	14_2_00007FFD34970522
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD34974599 push esi; iretd	14_2_00007FFD3497459A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD3479D2A5 pushad ; iretd	17_2_00007FFD3479D2A6

Source: UH7iNNKgPW.exe

Static PE information: section name: .text entropy: 7.976907442866878

Source: UH7iNNKgPW.exe, XEzSZgHCvRU6PIyyVykcAoQt2wN8F3qN55AqJmuSAn9IC182lR.cs	High entropy of concatenated method names: 'kcc2xQSHauM1QBY9rMzjlcTBkAGCWoyyfCvF2SUZjWZXPK52cV', 'dzOTNA3cVBMpXaDfg5rzmjTZmt4dS9caFgGa0PLtvBEF1fkebr', 'ZNl6O22DcHNMsQ8ZXsDco1pc4sMslpqRuiy93nkIflBettZ4ZW', 'eSf8lNxXjjiRNEHXUzWVpUWbn5zIBSvbqNGB8M29dM3lpWMXoI', 'q9CSJRPC6dUbBEMuJfGJ9XRFMHgyHFZd7x1g3f8xEeJwGslFsA', 'DZ0wFBYCL7kHdcl98kePuKxn46DPKzPNQYHZ8M7srdKjJK0VZV', 'O51aNvdYfEso0A5NHeudGK8qA7UTSYzcgNfhi1FcDmXH3C78H8', 'ORpRqCYdH7KSmXezvI4XgDkDiBaIQ6N3vlrcOznK2biSS6X1hB', 'aVwWE1NtP0UcXYbI0gcqANqDkeBMMvRcgbw6kXxsHcucSadCHo', '_52hm6B4j8hFjoYu7TMy1Rw9OfdOmmr2mf4BbESrJV8M0Ao3A7W'
Source: UH7iNNKgPW.exe, 3eP2DGdEk11wbp0AUKN5845c2YWe3IJ3xPbnLQoglwkBHsdSEIIrBuaYefCbvVyX.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'XumURgCgFsE0grPAJJSgEkOIP96dDAlgwtHGkPkk5muoas2M0g', 'kL84MfpWq3EaMxsTys0qTPAErcmZntZF7H26PngIGeeVoHogI7', 'Rwrdox8IdCjZQGffrHkQxVxlWehgphFooFjGDE5nmHeI5ZQkTz', 'PhfxWHoG2a9glFIjckHIEamgYUl7oguxE7C8BAk7F8ClBQ6Yaf'
Source: KUPAL.exe.0.dr, Gpb9iKg5zffq01B.cs	High entropy of concatenated method names: 'tj26o9I5F40wr4Y', 'g9urBN1GifMOIbT', 'F53hwK1CzrqodgW', 'zsI1BstG3v2F3aB', 'MNgnu1s9P4EkKqJ', 'mkZgnAgV0SBUjfs', 'Vac9ep9NXe8z8YR', 'KvTUNQvA3nvMCTS', 'IxfU6BVho15qJ77', 'yJtMXIPxedFc42J'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	High entropy of concatenated method names: 'FAE9MWrH890r1xO6c3rJ3QyAJrePJtigXS8BahQvEQigz4L2RL0bAuNvYJedPuTQ6naW87mq', 'ig3TqYk0ASC21dw3zOx59AOMeUaS8EHKFBbY1oo8HgF0j0EyZFDYRg5ZengUkgDtp99dno2q', 'IEvfen5HOU4ejarSJUQBsmEP3R6cnAB2hC1TteMUu1BTOCIdE3YRq6iSueI7QeaLSR6BEWkJ', '_91aeS2ugcrtlKkggaiGK7SjgXqBWtFwEEoJ48zyoqQnyN6Ox5qIOzJFJq1mAZgPGMM9s7BfC', '_87ZWHGckLSqCVt7ATT4vK3RhlZxWnuUEebKPQYrzLMZDR4KaLUuOCO1K1vva3HALxVIgOI9Y', '_9Izl3vWKf5PnArVqPMKqNFFcNh2d0ZkepSPixics1caTrp19yJM86vYUyZAjqY2NzaTUkiwn', 'NRwPPLEKdXSrq8q9nWmtokx1YYfEYHk1lbji7gtdaV4TbxqXKqApltbSTvCpYzFIORUsPdMS', 'NAMqH0HKPUIPbvuK9v0k6mGtdkvfJlAR0r8rZGt5RwtBGVFh43blJEKFrkRBB5sXcw1KulGT', 'N71C0Jfc03zJLXM', 'SoRqnTsWlJVtTbu'
Source: KUPAL.exe.0.dr, 4876bMPFrp0s5NsTnGrYyX9sxgDyo6GzENUbRMaPJhUGu6c7agrN3XrMZr0croeO6m60eyDl.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'BJJsVmbBiURdgRYqcymk9XSpGC8bNfIBEg7Y6rlP0wUkSbB2fbolDaMQFC4W5UVD3pYjSsW2', '_3XvbsO88QqYtOlz', 'QYjcBqEA91Wn9NP', 'ibO7hKyPlLhxvvp', 'l6POfA7zEizGDDB'
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	High entropy of concatenated method names: 'ajxNA9IEIeZUdMRw9zo5PxNNgtWjbd7AuN0Xj5l6', 'VmEQYJZAGyfXfaKDBbzrpoyLQpeh8o7VhJ6Yweo5', 'oHopMgoxyFGtsJpygBKHt4KELMvhjrqEMD3Iesr8', 'sguELYWfSUTizTZEZYbZRZ7DOvJFqb3fA1OTf8Jc', '_4dH0CZSaSkEdJ8vqx7xDbTYjmpMZPm3hCa52HGZ0', 'mk035X1eVVMWksu6TN23YDN4JPniJRYwDgbkITBm', '_50HOeMNQHz3bpBz91s5sbkp2w92lnKBTl2FqbgfY', '_6o4dUFbZjEQ9DLlcLtYnu2EbZ2jWfkKoG5cOfoqASfRyBpV9Gd9ypjoBs3SeiwhP2eJT0PoO', 'ymc30zQKDIU08UxHjulCeQ3ALLVRysZJnoz9n881jZvPRCphMVX8z9zJ7R8hZ5tw9JGAl39B', 'JoIf0O9RCoVmb3USI5mTtgIA1bdRsl3aUa3UGYkSWLK4KfeGne6o6V74MZfCkErBpEmIkW1p'
Source: KUPAL.exe.0.dr, bh7l0j4xfyFFiqWrV16LaYUHH1r7OE1hOyUvzHKQwLQZNAKauYR1fO6QuHKR7w1YbY7VUbCu.cs	High entropy of concatenated method names: 'U0dLgk0ChxirxZaPswerOa0jqJutKP0gCicxwYLO0HjdBlZaKlp0oo5SBEsH5DtjScvACpo1', 'yxK4N9wOcUGgc2a', 'j4MTwLfhpj9EdQ1', 'w59jGNhPSa3DzbR', 'QmBG9aMQV6FtGDn'
Source: KUPAL.exe.0.dr, 3TnH11XWxOsnALveVE1XZ1msmmbCCXinCcqONlW9qOTaH40UcdKj9IqqyIM1v5P1U7HB9G2c.cs	High entropy of concatenated method names: 'zzH8SloKg2lGhimXX582BaJPLMo1hgLilGMqjSNEIBxmDo0Xqb29LAXGE0cpZhfFI1tVB1NE', 'Urxn5hfvouuQEAJ2y7w6WJayoRYEW0pImW7qQSwvIJ3AgfbD3rncrn7zSghVtyQPivybRTfY', 'Ic8LDg9hw5l1nFr', 'DKrBb3vsJ7baFy5', 'O0pqir1bUInACrM', '_1QeOfPChLFTrPBx'
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	High entropy of concatenated method names: 'qN0IB9hPi1qppaApcqiAe4sFxRRXf2lwdWB5jRlC', '_6W6Mn4MWMKoh2ADkZUH6GJ8nFI8je4ScsOuqWQsB', '_9mJNru8JnXmLYAU464ogzD6GKfEAIX7ijzGdk1Zu', 'NyC7egV2CDZIO2PnP67HnDlgUbdq0fU1tqepCCu8', 'JC8P9CmdtWKznr0yT40a6lO9rentUruy3bHuW5Eg', 'cMgiRqxSpdjLu8wi517VCIrKTwotswgo8tVFWfM0', 'yUEfcwBrAnHQfElecQbpIILM5cebKPpmFmFqkSqg', 'wMYWNVuvkIYc2Ng0uND5bVt1QhCPKnPpwClG4013', 'VLhVJ67JxPKLNZCPVK0vkpBdr7upQgWOXk7n920k', '_94JgXGgLfwqFghP7us16cQkKc8OwZQCNYwV8jnTU'
Source: KUPAL.exe.0.dr, HkXYzao033NbP35qRtQbQW6x8jekKgKTu4vHnKh2pWXbYuoeuNj1OuclGLmFdsBVBJortvq9.cs	High entropy of concatenated method names: 'Z3NCxC8EL1risoSfjCoq6H6cx84q4wSeJjSr1QZhOA10Zd9dshC5MkW4SltljC7Czj69Orvo', 'E8TTJvl8skSn7IR', 'gnWhNM7nKCrNhdQ', 'aysdm2VArPZn2Uc', 'A4dorEaUx8Dmocy'
Source: KUPAL.exe.0.dr, qxoQ9YMiJuBr6MiDEt9NWsZq59Rutag64lxDptib.cs	High entropy of concatenated method names: 'GKsBJ4OtrpjAE46xmOE0XDZH12K6CGrK2cve9CzL', 'pOi7VppjhQPlAJIQu3BnfoBOkxWEbBGMvlhb9stk', 'XWlHsGSbW1VweBDx7hiEBkPTPVZpFsTjgzWsZSlI', 'zJLSQrpKZAxaVs4K1TwhAp1F5RLIj2rrXQcwIdJL', 'QkNanFLRUUeWWZyBkkBkHeK9n603V5gZOwfMBbAR', 'iEcsd0pGC8KCDggW9Vpy2S3nsqFUTZztE2ejCspW', '_9x0ZflgRVkT9CV46mLrd6d5wEFWW6UxjV8o4c4Su', 'QVvWpfiardIYoE16Asf6GWXTjkpiCxpAYpSQrJP7', 'BIg5SitBdi756eYgRR3EBA0FqRRuI0xfKAwdCRqe', 'dsssygCdLOfgq1wUglJ1PKOITppkhcV0TITRBjy5'
Source: KUPAL.exe.0.dr, 9BEedHNZIxcDjX49XFwhs1P0rCYdoBQ6YaShTeGyU745ewZHhOMEXCMUfY4SdLxTRnJbH4rK.cs	High entropy of concatenated method names: 'NvPoy7rdRbmLoPdHQXUZPr8yT9v2Svd1SecCApSr85ZEvhNKeqGOy6uxAbIj2cM3lJzsLCLo', 'RQcse28C7mbBmA8txljwnkPbSNTHYmQBrt47WtADFwZhOgD9W9I7R7mxDY8euoV9Ol6dDL3k', 'exYdNqoERwrfakSziKsUIhzZQxRFFplnM3Xr4LcWl38OZksJNIqo7o68WMYpzY9ETCxjFMmQ', 'LqrRegV703oqNNtP4pz1HufA6icgriJqm6pAFRwiNj1Dh4hKH0yTTL81jBzCPu58w95CM6O3', '_86pvVjPXZ6gw4mT', 'ewdbxl6u0aDLWkJ', 'KAsvFofzvFDBPLa', 'dRoORTbY0Nf92Yz', 'GPruLIT8mwnSmbw', 'V7YwqHfMRJ5KDmG'
Source: KUPAL.exe.0.dr, ssnftGjpcWgQRRzodzvtrlojetu5ngML6brmX2W8gMw5JGtBMg9AN9VoXrUxcsnr35Fm87Tx.cs	High entropy of concatenated method names: '_0gT5fRJEGRRWvAii8FNW0zGLtWDczWCYB2UYa7VbJqKbZCq3pyOJotvB7zPvRuBPshpT8ceh', '_5g2dT10DATTxc5OZ2PGiqE5Yo1lURBCuk9tWV7aGXZiiClr1irUsgvZrhzcYr2enmwfTcx0w', 'utTzWNXbRMM2x1wgCUt2SUbtkuVAHWJSXd8hH9ITl23LwRrfjeih7L2EiUkKQeDWzUw8QLHW', 'Uy5FgKdtHBidOE8AGQChCVEn9rfhCF42X4MuZxUw6sRb9X0hAIIGaU1x1ftBa5lOhcQjVLDv', 'e9opK80UyENWZZmMcKUSWxMMxEvvppF60jNNCx4p66UQvRUoOoTWLFFIShJwULv2HsK5S7m3', '_7aY0pIPjuj7M1KEfMhCJ1PkDV5w0CmFByLRcBfJF4qFuiOPddGM3lj0tObIL7kVVkggnqSyr', '_6UevKMEBFA08g86rLPOEVcskjPkoh4CkEIT5SZCILjVbVUs6whH49Pyo71CnH4eyHSn5QEGi', '_6Ld76HCSFLJSihqHdXGdYRiIekT75XASc7vC3t5d9KRx7Lsu9hQseBGVT1mnF0mIGYUquqLG', 'W4YDWMk6QHiMuLSXTeQd6lfXLgRBPdXfUwzrDKrMQaQ595C93Npf7gArzjvZfaV9poutRs20', '_4yChv5mMNjiUy3GxWWEkvEwpxH1N7x5MT531kr9yRuS0Pj3uhCk99r4cOI2uVJYgaAGCMhzy'
Source: KUPAL.exe.0.dr, IlOFe16vZxVhby72xUz5Tpz8of5PbmFi8DHIWlR1jvaJDTZ6JTxhgEgqQjpsAGAtPeY4CVzH.cs	High entropy of concatenated method names: '_6Eucg29H61GnFHNSTufqvszpe5v3PDcWWkI7PU6obOxCzMz5znrh70YgaafhZMhNyFbBn5RX', 'kah6rQjfcZWudIBq3QHMEGRQQ5DPCqJjqdr8C8lj0rfNg0jRblo6cCLcsAH2KARLwPyrFcFN', 'XB8yaIHz1nXgMpragf38mOJuhZxCeY5Y8CXhRGKMinf74rrkf9CKuo15Xoq0NL8BfvVBOQzm', 'nwHwtCCHWvKKHsB', 'pVTJh8o6ftGD4JP', 'rI7EKcrpuRksJWq', 'jjHfsoSL1npjMvV', 'uYfVkO1n7hYN9hK', 'An9SI6bT5JHUgLL', '_4MZFL0ePkdDgDiJ'
Source: ADWASl.exe.0.dr, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: ADWASl.exe.0.dr, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: ADWASl.exe.0.dr, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: ADWASl.exe.0.dr, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: ADWASl.exe.0.dr, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: ADWASl.exe.0.dr, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: ADWASl.exe.0.dr, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: ADWASl.exe.0.dr, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: ADWASl.exe.0.dr, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: ADWASl.exe.0.dr, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'

Drops PE files

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	File created: C:\Users\user\AppData\Roaming\KUPAL.exe			Jump to dropped file
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	File created: C:\Users\user\AppData\Roaming\ADWASl.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Memory allocated: 1ACF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Memory allocated: 1AA60000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7750	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1881	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7608	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6978
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1217
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6900
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2113
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1066
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 958

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2224	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep count: 6978 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5280	Thread sleep count: 1217 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4184	Thread sleep count: 6900 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5916	Thread sleep count: 2715 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep count: 7433 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1592	Thread sleep count: 2113 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2056	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 7123 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 1117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep count: 6329 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1524	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep count: 958 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vmware
Source: UH7iNNKgPW.exe, 00000000.00000002.2119347657.000000001B948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Roaming\KUPAL.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Queries volume information: C:\Users\user\Desktop\UH7iNNKgPW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Queries volume information: C:\Users\user\AppData\Roaming\KUPAL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ADWASl.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
plant-serial.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
127.0.0.1	false		high
http://ip-api.com/line/?fields=hosting	false		high
147.185.221.18	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UH7iNNKgPW.exe

Avira: detected

Antivirus detection for URL or domain

Source: plant-serial.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: UH7iNNKgPW.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UH7iNNKgPW.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: 127.0.0.1,plant-serial.gl.at.ply.gg,147.185.221.18
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: 28000
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: <123456789>
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: <Xwormmm>
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: XWorm V5.2
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: USB.exe
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: %Public%
Source: 2.0.KUPAL.exe.e90000.0.unpack	String decryptor: system user

Uses 32bit PE files

Source: UH7iNNKgPW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UH7iNNKgPW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: plant-serial.gl.at.ply.gg
Source: Malware configuration extractor	URLs: 147.185.221.18

Yara detected Generic Downloader

Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2557353060.00000225E3261000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2592473371.000001FF9A034000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3085151044.0000022F3E4C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3179493609.000002403A4C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E369000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC69BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CAB99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81B58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021DB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2266366897.0000018C666FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000004.00000002.2207271246.0000018C4E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2209605064.0000022BC6791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2332218680.00000225CA971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2344876942.000001FF81931000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2617968389.0000022F25D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2669542259.0000024021B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.3191732237.0000023A60C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, KUPAL.exe, 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000015.00000002.3191732237.0000023A60EA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2252587537.0000018C5E1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2514087169.00000225DA9DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2544361003.000001FF919A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2962419416.0000022F35D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.3100189889.0000024031BFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34898505	4_2_00007FFD34898505
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34898E05	4_2_00007FFD34898E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34892785	4_2_00007FFD34892785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34964031	4_2_00007FFD34964031
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348B8E05	6_2_00007FFD348B8E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348B2785	6_2_00007FFD348B2785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD349839D1	6_2_00007FFD349839D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD349830E9	6_2_00007FFD349830E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348AB9FA	10_2_00007FFD348AB9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348A5EFA	10_2_00007FFD348A5EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD348A8EFA	10_2_00007FFD348A8EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD34972E11	10_2_00007FFD34972E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A25ED	14_2_00007FFD348A25ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A89F2	14_2_00007FFD348A89F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A5BFA	14_2_00007FFD348A5BFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD348A5B80	14_2_00007FFD348A5B80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3497332B	14_2_00007FFD3497332B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD349830E9	17_2_00007FFD349830E9

Sample file is different than original file name gathered from version info

Source: UH7iNNKgPW.exe, 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameADWASl.exe4 vs UH7iNNKgPW.exe

Uses 32bit PE files

Source: UH7iNNKgPW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: UH7iNNKgPW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UH7iNNKgPW.exe, XEzSZgHCvRU6PIyyVykcAoQt2wN8F3qN55AqJmuSAn9IC182lR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KUPAL.exe.0.dr, bh7l0j4xfyFFiqWrV16LaYUHH1r7OE1hOyUvzHKQwLQZNAKauYR1fO6QuHKR7w1YbY7VUbCu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: KUPAL.exe.0.dr, 0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.cs	Base64 encoded string: 'kNiYaE/ny3jmmYIBwtyZPjJPbuznt9OawWXkTsR9qA+BlqrnPCkdj99mEAl+sE3S'
Source: ADWASl.exe.0.dr, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: ADWASl.exe.0.dr, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: ADWASl.exe.0.dr, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: ADWASl.exe.0.dr, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: ADWASl.exe.0.dr, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: ADWASl.exe.0.dr, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	Base64 encoded string: 'sJNo6boBGfuqf+zUnbEZYTm08q2As0UwHWQ61zsciw1Xe728g8wKSHcKUqY9qbHTdGZvdKfpKivLLLNt7kA/Bg==', 'XrHaz9A9D06Phx36ThT6paRm3KHM75wD4BRmKyX9gZ91uwde6LEWlqjJg+Qv/du2', 'jKLixTgZyZ5H74ntDUcqJxob5Nk2OsiSVuXXTFCpO9feEYA7lO6gYYyTSMRmONgV', 'Y6PQpJ8W7I8YHEoJaQ8aBqujXGrN3SneWbvPXfDqciVN5Eakoll0GrHkafC61/fm'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	Base64 encoded string: 'YdOkHPHs6JugyEfqoaWYQzK5hjMxLCFviw6tfZhMlskyEtKOHVTx6IfOLDcnGqUFuL3uQtMtj4yPARkIWCDN'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	Base64 encoded string: 'hSA5Wdc33Xof2OwTnKOLa8so370NRMaNQcqRYHc4LrWK5PKbcSRtfNito9gCsJvS12xxgJv6VsBQXSiJukvg', 'JYxmlGmMa6UJHLWc30XTaOlKNcYGq8gz8YOhJsQZmAL7FVMjYMe1fn9a5PhcHiPAfLMy5bvNuPbjTTSrCXkk'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	Base64 encoded string: 'nju2v7Vt1R40BED8pEyTxKXI6CptbMnMsRQlcnuMehvWSZFNGekIX77ao0fCbDJKT1NXymEjwkuZCSTH9ufJ'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	Base64 encoded string: 'nci1rHCJyRJQrXJ6TV9iSbUp7C10zbmcqITIdEHF2Yi8WK5aQB7V65GJ2B8WUbYLnDS6pIlUdt76vztuudGM', 'quE77m97gwbNeooClY0DvShSQbsjzcqRcXtWGuGrgAS37IOmOPCXaXmytLaQENYxbOXg3a2ILt3B1kaVXR2R', 'KkA7kqJv5hIOfwyYaEd3XfdzaYT03XorqBmoF2FQwl5HGnOyMec9ZizncNN3CeEuL82VpSkjTOcwuugZCzHm', 'QFtQ6uhzug2xNTvoxHpR3fxbroshkRkThngsrAJXb0wF3aa3uwdZbhYq32N2hX2hv0tHaUmvrT8TapbZQrfn', 'rbA6bD92SAnGIYYW1g7V8Eu92RQ81XCyQcoYrFqYzWplNCiZ2OSVFMtobkWhqUAliwaxnZ7TGPxvdMqqjkRd', 'QW8rW4VTLMnsYtvbKVnUUfnYaXfUkMHfflVTslNLDxiKrXu4LGei2YEYX3498LroZHchBA10dHP1ey94cjZP', 'ncARmhGIRPodzCFcskZDKU4UaMqxSl64LjzTHhZ5z90AuhxxNMiELYJQ3odcTxt3ZkVG3Ik9TGA2zPTxbc1d', 'pHgRsbUI4Ynb3C7iJsGu5rXmE00WEDmecxC8Ap2iH1Mm7LmPXIgloi9OxiN8kofpwunCXWCoXk49l6rkX8Q8', 'SyEJpyAImLmr6a2sUbQmSiErJ1EHN4TccknuvCDsJrlQuNPsw5Qpukbc21DJxQ7U6VSQ7GqptIMkL7sOLzUW', 'mp62tWEyp5iwpbT5xlEgr4NnM3QHfF0zhOUt19R9lVpd5TQxVCKStg9SvPdkavaJYwR2VoPVcy3BBmPghD7Z', 'VaB7i6WVZKvKO2B7A9MZwVl1akVGqLsJgBf58GLwXj26JFtXu18dnrzg30XxWe66YQ4IBNPen7bzE7ska9rK', 'ZqJcJqIB6l9oIpdDMkPX3iYYVoBRdJP8plmCxri0xRK4qqz6baJ8IaaOd539sa83QQ7uEWyHcCNvjl3tY5Ml', 'I05FeP8TX5O0rO6mO6ERKVvCCpyQ4vFwQiwwUKY4Njgn0wR13XgwyeoXO82WjjbfxmgkBcRexBuJfru6c0w6', 'moltyu2jIOlDc4fRe6LzzyAIPP9yjcklmWQ99vLVwoMOeyDP4NXQwtAy2AKjo6sc4vl5XbztWbvmcnK7MhfW'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	Base64 encoded string: 'uB6jeIJPzRYJkd639zhowrMemVgi1wKX283IYjpVBSRnjMHiuQl5cO4KZVRoDCimDjTVFpcKmAzsLRtfIkcm', 'ILGrxTudKOf9mRjOfBsQDjeuDPZp9Da6uzSULDye0XwNxhweqW8wRJd54KFC3TaWNhbpUYIYsGuRoJ4HAJ8x'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	Base64 encoded string: 'iCIUBBtr5yBUUD7pRX8vueyjeApR1DYh86qALhw7kjKLS45vQPpGBPZMQefYs2MrloDma0DkCN585WMyiwmP', 'PW4a6F32BJIK4WR8kZ7LRHe4WbxB2KOSC4RcknKMDyTZxqYLDhQL1m1bwikI0dWyCntbQvd8ZY8AlxeEc2PH', 'otp0HWeipx0H6jbscpkVveoRjdDRKKDoz7vPHhSCgyxg3q6oUoUhr7PIN20p1YNCbfSx04T2ytDw3rS8B58U', 'UFdlAD3PcPsJJEAVMOZ6y8uNKLOo9yTOfnWuY7qtXCOg9aP13yzYzox8XYxyQTMW0vipBlYuVPOLNzVxVHvB'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	Base64 encoded string: 'rc7hlhnncXyYCgHofxV8AsiQ8YI91T5C7EYW9wD9zzLJdiFB8d2o81HFEoZGPrqJv3c8nBoeKlXYY2S1r8T0'

Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/36@1/1

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File created: C:\Users\user\AppData\Roaming\KUPAL.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Mutant created: \Sessions\1\BaseNamedObjects\mUneoSv3FUAeQ4a2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Mutant created: \Sessions\1\BaseNamedObjects\t1DChNHd6c9Qof0cr
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Mutant created: \Sessions\1\BaseNamedObjects\WEoEbM8OdImCc10z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyeksvtm.nqj.ps1

Jump to behavior

Source: UH7iNNKgPW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UH7iNNKgPW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UH7iNNKgPW.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\UH7iNNKgPW.exe "C:\Users\user\Desktop\UH7iNNKgPW.exe"
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UH7iNNKgPW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UH7iNNKgPW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.PhuOSqiW3h3VaUPTbztuOw8rPFphC7RomB1mumCb,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.rburoukbazQFJTDNfC5dFQImPdItBxK06mfocpdR,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.IzcbDKfDunVXRnLq4y8oBftwUo0m7N8hWKrUODe1,_0XvkmsbaVPd9WO3z1bUGAgNZ9hKL0wc4JJSAPvsw.QY25jgyPTI68XbEPwIDfmWwSv1m3fYVJkwr8muqM,fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.amvGhdGvyeGb46m()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[2],fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.IBAFke1hf7vKohL(Convert.FromBase64String(K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { K1Bgpf4DyJ3i012BuW9VQBj2b6Yg0P9sSucEVY6PYWCO7CZQMduwZSigknAqAyL9RC0YKvzR[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.ykrfjf8FB3D8jVEbrAC0MC1UMmVBNZ3e6t,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.EroEfVXUZHuuJtXd2jAGBMSjWEsxQw13Yb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.FToqSCLet2mLnp2wImT0fMUQxno20MZ7Xb,ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.asaUcKWqTFRxXngFkQhHRZ2Fa0S5xYNQ9S,iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.LpJmYH1n7PUogp2YGdIvYAYmaYF8u20huL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2],iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7._68SouWwBJh9NK888kFAkROkcXWRE4IgNTL(Convert.FromBase64String(tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { tDbP1iyaBQUoNHg2rVEwWgcjbjDuU1Ty6F[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: VmEQYJZAGyfXfaKDBbzrpoyLQpeh8o7VhJ6Yweo5 System.AppDomain.Load(byte[])
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: aEUO6QbOpPJ85zBVSK067WLzI6gUn0OMKbH0olJwMZnd30qPgTWmQZ2qVQ8R9Uu1tU2NdtVU System.AppDomain.Load(byte[])
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	.Net Code: aEUO6QbOpPJ85zBVSK067WLzI6gUn0OMKbH0olJwMZnd30qPgTWmQZ2qVQ8R9Uu1tU2NdtVU
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy System.AppDomain.Load(byte[])
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	.Net Code: UZVV8PINtiLf4HcaY3qXvnzqg8MMXdC7Cy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD3477D2A5 pushad ; iretd	4_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD3479D2A5 pushad ; iretd	6_2_00007FFD3479D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD3478D2A5 pushad ; iretd	10_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3478D2A5 pushad ; iretd	14_2_00007FFD3478D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD3497050C push ds; iretd	14_2_00007FFD34970522
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD34974599 push esi; iretd	14_2_00007FFD3497459A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD3479D2A5 pushad ; iretd	17_2_00007FFD3479D2A6

Source: UH7iNNKgPW.exe

Static PE information: section name: .text entropy: 7.976907442866878

Source: UH7iNNKgPW.exe, XEzSZgHCvRU6PIyyVykcAoQt2wN8F3qN55AqJmuSAn9IC182lR.cs	High entropy of concatenated method names: 'kcc2xQSHauM1QBY9rMzjlcTBkAGCWoyyfCvF2SUZjWZXPK52cV', 'dzOTNA3cVBMpXaDfg5rzmjTZmt4dS9caFgGa0PLtvBEF1fkebr', 'ZNl6O22DcHNMsQ8ZXsDco1pc4sMslpqRuiy93nkIflBettZ4ZW', 'eSf8lNxXjjiRNEHXUzWVpUWbn5zIBSvbqNGB8M29dM3lpWMXoI', 'q9CSJRPC6dUbBEMuJfGJ9XRFMHgyHFZd7x1g3f8xEeJwGslFsA', 'DZ0wFBYCL7kHdcl98kePuKxn46DPKzPNQYHZ8M7srdKjJK0VZV', 'O51aNvdYfEso0A5NHeudGK8qA7UTSYzcgNfhi1FcDmXH3C78H8', 'ORpRqCYdH7KSmXezvI4XgDkDiBaIQ6N3vlrcOznK2biSS6X1hB', 'aVwWE1NtP0UcXYbI0gcqANqDkeBMMvRcgbw6kXxsHcucSadCHo', '_52hm6B4j8hFjoYu7TMy1Rw9OfdOmmr2mf4BbESrJV8M0Ao3A7W'
Source: UH7iNNKgPW.exe, 3eP2DGdEk11wbp0AUKN5845c2YWe3IJ3xPbnLQoglwkBHsdSEIIrBuaYefCbvVyX.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'XumURgCgFsE0grPAJJSgEkOIP96dDAlgwtHGkPkk5muoas2M0g', 'kL84MfpWq3EaMxsTys0qTPAErcmZntZF7H26PngIGeeVoHogI7', 'Rwrdox8IdCjZQGffrHkQxVxlWehgphFooFjGDE5nmHeI5ZQkTz', 'PhfxWHoG2a9glFIjckHIEamgYUl7oguxE7C8BAk7F8ClBQ6Yaf'
Source: KUPAL.exe.0.dr, Gpb9iKg5zffq01B.cs	High entropy of concatenated method names: 'tj26o9I5F40wr4Y', 'g9urBN1GifMOIbT', 'F53hwK1CzrqodgW', 'zsI1BstG3v2F3aB', 'MNgnu1s9P4EkKqJ', 'mkZgnAgV0SBUjfs', 'Vac9ep9NXe8z8YR', 'KvTUNQvA3nvMCTS', 'IxfU6BVho15qJ77', 'yJtMXIPxedFc42J'
Source: KUPAL.exe.0.dr, fvcQklKJdlNQFE3FnktKn5rwnsWAHQnX7ZDmsBEzElTtjwicOZWy9bgOWSJi16v2zL2sRdMu.cs	High entropy of concatenated method names: 'FAE9MWrH890r1xO6c3rJ3QyAJrePJtigXS8BahQvEQigz4L2RL0bAuNvYJedPuTQ6naW87mq', 'ig3TqYk0ASC21dw3zOx59AOMeUaS8EHKFBbY1oo8HgF0j0EyZFDYRg5ZengUkgDtp99dno2q', 'IEvfen5HOU4ejarSJUQBsmEP3R6cnAB2hC1TteMUu1BTOCIdE3YRq6iSueI7QeaLSR6BEWkJ', '_91aeS2ugcrtlKkggaiGK7SjgXqBWtFwEEoJ48zyoqQnyN6Ox5qIOzJFJq1mAZgPGMM9s7BfC', '_87ZWHGckLSqCVt7ATT4vK3RhlZxWnuUEebKPQYrzLMZDR4KaLUuOCO1K1vva3HALxVIgOI9Y', '_9Izl3vWKf5PnArVqPMKqNFFcNh2d0ZkepSPixics1caTrp19yJM86vYUyZAjqY2NzaTUkiwn', 'NRwPPLEKdXSrq8q9nWmtokx1YYfEYHk1lbji7gtdaV4TbxqXKqApltbSTvCpYzFIORUsPdMS', 'NAMqH0HKPUIPbvuK9v0k6mGtdkvfJlAR0r8rZGt5RwtBGVFh43blJEKFrkRBB5sXcw1KulGT', 'N71C0Jfc03zJLXM', 'SoRqnTsWlJVtTbu'
Source: KUPAL.exe.0.dr, 4876bMPFrp0s5NsTnGrYyX9sxgDyo6GzENUbRMaPJhUGu6c7agrN3XrMZr0croeO6m60eyDl.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'BJJsVmbBiURdgRYqcymk9XSpGC8bNfIBEg7Y6rlP0wUkSbB2fbolDaMQFC4W5UVD3pYjSsW2', '_3XvbsO88QqYtOlz', 'QYjcBqEA91Wn9NP', 'ibO7hKyPlLhxvvp', 'l6POfA7zEizGDDB'
Source: KUPAL.exe.0.dr, 9C1b2jUgRpT2sswXCXbFoA8Cr05AGpAGooZoM2DD.cs	High entropy of concatenated method names: 'ajxNA9IEIeZUdMRw9zo5PxNNgtWjbd7AuN0Xj5l6', 'VmEQYJZAGyfXfaKDBbzrpoyLQpeh8o7VhJ6Yweo5', 'oHopMgoxyFGtsJpygBKHt4KELMvhjrqEMD3Iesr8', 'sguELYWfSUTizTZEZYbZRZ7DOvJFqb3fA1OTf8Jc', '_4dH0CZSaSkEdJ8vqx7xDbTYjmpMZPm3hCa52HGZ0', 'mk035X1eVVMWksu6TN23YDN4JPniJRYwDgbkITBm', '_50HOeMNQHz3bpBz91s5sbkp2w92lnKBTl2FqbgfY', '_6o4dUFbZjEQ9DLlcLtYnu2EbZ2jWfkKoG5cOfoqASfRyBpV9Gd9ypjoBs3SeiwhP2eJT0PoO', 'ymc30zQKDIU08UxHjulCeQ3ALLVRysZJnoz9n881jZvPRCphMVX8z9zJ7R8hZ5tw9JGAl39B', 'JoIf0O9RCoVmb3USI5mTtgIA1bdRsl3aUa3UGYkSWLK4KfeGne6o6V74MZfCkErBpEmIkW1p'
Source: KUPAL.exe.0.dr, bh7l0j4xfyFFiqWrV16LaYUHH1r7OE1hOyUvzHKQwLQZNAKauYR1fO6QuHKR7w1YbY7VUbCu.cs	High entropy of concatenated method names: 'U0dLgk0ChxirxZaPswerOa0jqJutKP0gCicxwYLO0HjdBlZaKlp0oo5SBEsH5DtjScvACpo1', 'yxK4N9wOcUGgc2a', 'j4MTwLfhpj9EdQ1', 'w59jGNhPSa3DzbR', 'QmBG9aMQV6FtGDn'
Source: KUPAL.exe.0.dr, 3TnH11XWxOsnALveVE1XZ1msmmbCCXinCcqONlW9qOTaH40UcdKj9IqqyIM1v5P1U7HB9G2c.cs	High entropy of concatenated method names: 'zzH8SloKg2lGhimXX582BaJPLMo1hgLilGMqjSNEIBxmDo0Xqb29LAXGE0cpZhfFI1tVB1NE', 'Urxn5hfvouuQEAJ2y7w6WJayoRYEW0pImW7qQSwvIJ3AgfbD3rncrn7zSghVtyQPivybRTfY', 'Ic8LDg9hw5l1nFr', 'DKrBb3vsJ7baFy5', 'O0pqir1bUInACrM', '_1QeOfPChLFTrPBx'
Source: KUPAL.exe.0.dr, awl0qWwno02IS3TZTlMW72ewpRG8JCOq28YLwgSw.cs	High entropy of concatenated method names: 'qN0IB9hPi1qppaApcqiAe4sFxRRXf2lwdWB5jRlC', '_6W6Mn4MWMKoh2ADkZUH6GJ8nFI8je4ScsOuqWQsB', '_9mJNru8JnXmLYAU464ogzD6GKfEAIX7ijzGdk1Zu', 'NyC7egV2CDZIO2PnP67HnDlgUbdq0fU1tqepCCu8', 'JC8P9CmdtWKznr0yT40a6lO9rentUruy3bHuW5Eg', 'cMgiRqxSpdjLu8wi517VCIrKTwotswgo8tVFWfM0', 'yUEfcwBrAnHQfElecQbpIILM5cebKPpmFmFqkSqg', 'wMYWNVuvkIYc2Ng0uND5bVt1QhCPKnPpwClG4013', 'VLhVJ67JxPKLNZCPVK0vkpBdr7upQgWOXk7n920k', '_94JgXGgLfwqFghP7us16cQkKc8OwZQCNYwV8jnTU'
Source: KUPAL.exe.0.dr, HkXYzao033NbP35qRtQbQW6x8jekKgKTu4vHnKh2pWXbYuoeuNj1OuclGLmFdsBVBJortvq9.cs	High entropy of concatenated method names: 'Z3NCxC8EL1risoSfjCoq6H6cx84q4wSeJjSr1QZhOA10Zd9dshC5MkW4SltljC7Czj69Orvo', 'E8TTJvl8skSn7IR', 'gnWhNM7nKCrNhdQ', 'aysdm2VArPZn2Uc', 'A4dorEaUx8Dmocy'
Source: KUPAL.exe.0.dr, qxoQ9YMiJuBr6MiDEt9NWsZq59Rutag64lxDptib.cs	High entropy of concatenated method names: 'GKsBJ4OtrpjAE46xmOE0XDZH12K6CGrK2cve9CzL', 'pOi7VppjhQPlAJIQu3BnfoBOkxWEbBGMvlhb9stk', 'XWlHsGSbW1VweBDx7hiEBkPTPVZpFsTjgzWsZSlI', 'zJLSQrpKZAxaVs4K1TwhAp1F5RLIj2rrXQcwIdJL', 'QkNanFLRUUeWWZyBkkBkHeK9n603V5gZOwfMBbAR', 'iEcsd0pGC8KCDggW9Vpy2S3nsqFUTZztE2ejCspW', '_9x0ZflgRVkT9CV46mLrd6d5wEFWW6UxjV8o4c4Su', 'QVvWpfiardIYoE16Asf6GWXTjkpiCxpAYpSQrJP7', 'BIg5SitBdi756eYgRR3EBA0FqRRuI0xfKAwdCRqe', 'dsssygCdLOfgq1wUglJ1PKOITppkhcV0TITRBjy5'
Source: KUPAL.exe.0.dr, 9BEedHNZIxcDjX49XFwhs1P0rCYdoBQ6YaShTeGyU745ewZHhOMEXCMUfY4SdLxTRnJbH4rK.cs	High entropy of concatenated method names: 'NvPoy7rdRbmLoPdHQXUZPr8yT9v2Svd1SecCApSr85ZEvhNKeqGOy6uxAbIj2cM3lJzsLCLo', 'RQcse28C7mbBmA8txljwnkPbSNTHYmQBrt47WtADFwZhOgD9W9I7R7mxDY8euoV9Ol6dDL3k', 'exYdNqoERwrfakSziKsUIhzZQxRFFplnM3Xr4LcWl38OZksJNIqo7o68WMYpzY9ETCxjFMmQ', 'LqrRegV703oqNNtP4pz1HufA6icgriJqm6pAFRwiNj1Dh4hKH0yTTL81jBzCPu58w95CM6O3', '_86pvVjPXZ6gw4mT', 'ewdbxl6u0aDLWkJ', 'KAsvFofzvFDBPLa', 'dRoORTbY0Nf92Yz', 'GPruLIT8mwnSmbw', 'V7YwqHfMRJ5KDmG'
Source: KUPAL.exe.0.dr, ssnftGjpcWgQRRzodzvtrlojetu5ngML6brmX2W8gMw5JGtBMg9AN9VoXrUxcsnr35Fm87Tx.cs	High entropy of concatenated method names: '_0gT5fRJEGRRWvAii8FNW0zGLtWDczWCYB2UYa7VbJqKbZCq3pyOJotvB7zPvRuBPshpT8ceh', '_5g2dT10DATTxc5OZ2PGiqE5Yo1lURBCuk9tWV7aGXZiiClr1irUsgvZrhzcYr2enmwfTcx0w', 'utTzWNXbRMM2x1wgCUt2SUbtkuVAHWJSXd8hH9ITl23LwRrfjeih7L2EiUkKQeDWzUw8QLHW', 'Uy5FgKdtHBidOE8AGQChCVEn9rfhCF42X4MuZxUw6sRb9X0hAIIGaU1x1ftBa5lOhcQjVLDv', 'e9opK80UyENWZZmMcKUSWxMMxEvvppF60jNNCx4p66UQvRUoOoTWLFFIShJwULv2HsK5S7m3', '_7aY0pIPjuj7M1KEfMhCJ1PkDV5w0CmFByLRcBfJF4qFuiOPddGM3lj0tObIL7kVVkggnqSyr', '_6UevKMEBFA08g86rLPOEVcskjPkoh4CkEIT5SZCILjVbVUs6whH49Pyo71CnH4eyHSn5QEGi', '_6Ld76HCSFLJSihqHdXGdYRiIekT75XASc7vC3t5d9KRx7Lsu9hQseBGVT1mnF0mIGYUquqLG', 'W4YDWMk6QHiMuLSXTeQd6lfXLgRBPdXfUwzrDKrMQaQ595C93Npf7gArzjvZfaV9poutRs20', '_4yChv5mMNjiUy3GxWWEkvEwpxH1N7x5MT531kr9yRuS0Pj3uhCk99r4cOI2uVJYgaAGCMhzy'
Source: KUPAL.exe.0.dr, IlOFe16vZxVhby72xUz5Tpz8of5PbmFi8DHIWlR1jvaJDTZ6JTxhgEgqQjpsAGAtPeY4CVzH.cs	High entropy of concatenated method names: '_6Eucg29H61GnFHNSTufqvszpe5v3PDcWWkI7PU6obOxCzMz5znrh70YgaafhZMhNyFbBn5RX', 'kah6rQjfcZWudIBq3QHMEGRQQ5DPCqJjqdr8C8lj0rfNg0jRblo6cCLcsAH2KARLwPyrFcFN', 'XB8yaIHz1nXgMpragf38mOJuhZxCeY5Y8CXhRGKMinf74rrkf9CKuo15Xoq0NL8BfvVBOQzm', 'nwHwtCCHWvKKHsB', 'pVTJh8o6ftGD4JP', 'rI7EKcrpuRksJWq', 'jjHfsoSL1npjMvV', 'uYfVkO1n7hYN9hK', 'An9SI6bT5JHUgLL', '_4MZFL0ePkdDgDiJ'
Source: ADWASl.exe.0.dr, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: ADWASl.exe.0.dr, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: ADWASl.exe.0.dr, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: ADWASl.exe.0.dr, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: ADWASl.exe.0.dr, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: ADWASl.exe.0.dr, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: ADWASl.exe.0.dr, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: ADWASl.exe.0.dr, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: ADWASl.exe.0.dr, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: ADWASl.exe.0.dr, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: ADWASl.exe.0.dr, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: ADWASl.exe.0.dr, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: ADWASl.exe.0.dr, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: ADWASl.exe.0.dr, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, u38s9Z9WCTOOqvgWmyZukf1Jbl2Zyd89JpkvxtuUm61qDCH0HoFspcThnDBLhEToNm.cs	High entropy of concatenated method names: '_0vinH1r4kZ6zCDi50xG0KYU09q6MTvbg0bFCDLbWNN8yvp6ureCsQdzvt4QwGxcByz', 'eeZUhNzgjPzKNYItOLa3fVY0rpXo4ozzdA4VvsLJKDvjNCMpoVRPgoLK30tpwhMcVG', 'DHSOF12YmWHi7Y2Ea6V8CQddumpsPd8Lb2UCt9ZB2Jjrxsk3kXjVPwHqjdiI3xyjKv', 'pgU2aZ1Y4g0Y040rMPkF29VSJJ', 'jTLdMHvUdOpStJAyv2gKqGCwzE', 'JAu1ZJqwQvVxpdCshQL1K7HbpV', 'uQGNqd1IRmk1ZlwDq84RdVvXyr', 'QFOtLmj7Yy1w4irrWnz7xpnq84', 'lCzoeVTvVX5o95whVcAqKh2tq9', 'csWPFOYsxvIK4OmcITcLWITohz'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, ixqLVecPhQSv5ypjrf5MA3PZVAZKlfhEpy.cs	High entropy of concatenated method names: 'mGfuytWa6WQ0WDgxGK6h4bZFMmZfcw1nBoVfwvHKY677jNPwk4A50A3XdfgEKHTQkl', 'NR9vFmDfLoPLEE9KqhTrcSOWcKN98IxwOw8mNxttcn9ipRBg7u6mFn7XBDNgVT3EPN', 'BBhwBsPwBQ7aHvwOPk1F9lfrjKVONGHhFlU3hRTh4VoIAS7N2oiZCd4om0YnyxuxPy', 'vZYYgPzT6ZgYFA8EoJBimxbYSK31rymrJUiUWpBzYezcbDeu3xZjkaN1fL5k1mUGj1'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, 8Jn03Hre77aHAsReZANprRKsF0s5Fkw6Rz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Ro5UXtdvL9lTcB3Go4zQ7bES0axwxe7GqZdMFK4xNV7S9yGRHXgHrmMSminkgmf9TQ', '_28byse7QgVoGgcpunMdSadbVeJMtg6ykmQk5rgw1BkR5qxDFlvsdercEeNYKVnfbDt', 'rnlF8QgWKPvPfcJLcBQZUepjgpsYqZid8SjtjmeG8qCoaFaePAksD9LsEMMo1oc75Z', 'HHLmOjSjSR4FmnzXL2mQ5iJ7RrUmYHinyIZlbJYNm7Ri5ZPJRiUENV5e5ZbtjCaB9p'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, C24oq3gROLrYOk6dmUEy7sICOo40QRzph5.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'TFQFFwLaOzWJjacuCFDtzqEd4CdjReatTQH6Kb2PSGI7m0qR25IkGAQaGCXLovmQ8rv5gRTCbr4JhLBiIgEq', 'tYIZLXZ6qJ3guetFCsT4mDImouzcYKT2lBzIpFpzLbgGbtA9JavfacFKosEt5N8DdrRXzKW4cy6KhCIoljpf'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, K60UU3oo00BaGSC2xkqkfkxfBhPAShSOLw.cs	High entropy of concatenated method names: 'cnKgmMpYIPnnVDQCwr1jiPzwSTDaINmJMt', 'Xhvsgll9Vf9MCfY1nTB5A4LpLIT4YlJitO', 'orgO5KFXzdFniv7sd0bIuJ6HXbyhxM7XplXpnBJqgomALUx3RP9e0I0RSEI5AORIEAqw3SYeTGuYlzBbEOyc', 'HdTiGpLspKySW5qTNOATSslbu5F1i5KRealE84Gl4SfMcpucwc0bBAZUvjRvwFRsEnoKbo815Tn2dGRDaM3H', 'ZYzFu4NSwlPX83vNVqCFfJnVPluYiuJOaPizKz3wZROBNkTJzUhl3oWLb8O9x518sG4pz62OSCF3IEQpIgfy', 'ScUoaMaBi6v2mMtez8EPiTP0TdwxSUR8t0js0YrU3qAGGXlRv4SCl77mC8mJYpZBdNqnSDBeYGWFnvNZwokI'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, sBHwgorolzn5HxGWJ9IJTU83tLjuqDiket.cs	High entropy of concatenated method names: 'dAl3wAJgE2hCWPOUfNCkDG2pCC4lUK3LHH', 'a25UXsBfhVpLi4QDCqNZHmivJ4dBt8yaff', 'yYqhfSxRhGs3b6ZLwtWIpDpvnx5rkuE3PK', '_0VlklZJQP9z34ka4pGGEbkGUpJgts9pPeW', 'SMifTvxxY8QlZhB45Cp42n4ZNYSUXryivFp2mo6QEhcv53T0YnKpVxmSBtfsRUdSFw3QZWzu9xlUk6ZloQcK', 'yGTQdN3yaA8jSXShvRMRlyGKlVD3uqL6y15gxkmx3N2re8n5MZI6kaca4w229AWLj2ikjQqPsP3bCR9saIqX', 'wpRvcNU9aBH2NPh09FlpmBfeZqJhs5RPW4TozNPTq6dKhtjuFjGda1AS0fRNqWNPI72n1ndJCxRi5SBmhNdb', 'cwHniMcQcyEoPmwfIFHNIQf51X0o85l4IVlx8dtstk5meHYolQPUr8B4UUc94vs5drTVlYv1HplmyslRTdhU', 'B0ctOMHIaYuq4DoIffhCvdLahg8BWikabU4Jqceryr95xFws8TBuA8xDyCPIe9KsYpASfxClZ5dfTS70ABv7', 'oMKCMRP0WNr4HxbKRicox9jJOuzIcsmcXHxAHm042fc3NiG4MX4tVxvuxQHBSCqULEXX2hiPNQ0l23kAhBnF'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, BAQsBn1NJkPD4C1VnOoNbnTib2DUcZF1qK.cs	High entropy of concatenated method names: 'wXsvxN62Mr9gl9UrpAyNnp311jXRBsVfQC', '_8PHuY8sFn5QhfIOGCCKC1xnFsULJUbQb39eIJvRanGGIeV2Q5CfpEuUPpi2A186ROS1sjhq3ykvkZ1Q9KlMqCx7FalUygvVDMBX', 'UPo2N6PkxOlmCrPv73pTjhQm03ZUdFkDK50jMSHjDffoIHO3hAOgGw5dhCKZ58m2q9ojH9UpUZ4CBk5GqJDw4Xl6AUD5lsMteb0', '_21yJlfvbhX8fWpxwxI6fOSeYAppEiqyJkJqU4MUWGzU88oQvuQpGhZ726fwkegJm5ukeQ9mdQtoprBKTzu2UPRtRPyyZee2RfFw', 'zUT16vTMGPlv0IHRpTOoGjlY3TfAemgYdcBSk8aGqtwDnGu2ROsKfrcngaTpCN0Dqn0Ta6UbV1CkUe5gi7rAZJnKEH3cRv7JjL5'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, YIjiSEP2hWhyiDjYGa3MSDagl74ezBDVEx.cs	High entropy of concatenated method names: 'QvpI6SyQBJiQsiJkFip2JqZZbDLGhHhEBJ', '_62UTKRqa1fuFLWYa3XHoEmyDsQjXrWdOwD', 'S7UE8mcyPp1DOImplhCGZs2ZPfXPTpc3EB', 'p7yCbZiTTTSjApiyx5xtAy7dqcR70V0reB', 'OHUWIS5DXRDpGnUnKgO7QPBVnTg45LoatZ', 'zuoLZfLwt7TIqJna5bRqfvJirJTXes80EP', 'fsbO2Yro18k8meNYOOTu2iw5qCJzqg1dYJ', 'Wcz7z2cuZPAmPnLrU2Bvu6977a3bzIa6LP', 'dJmYOgalmpgYhoBQ0yepHL5NM0flFISpwY', 'ip6WqYH1rnV1j0aUSLL5O3VznLKO7GFVcW'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, iADMLmBqp6TEbzudquzuhjBGSSSBLkMgO7.cs	High entropy of concatenated method names: 'dBcrZH24HmkCEHAYVhPxDRjLkHV2kWH40b', 'laqMxXP2ShfLtt9P2NTp7VQa5VUeqF8J0v', 'JOGYlg8J5eW5lmwwPRCg6gDEBEIrrq3brx', 'sdzfOmFg6n4ctdWj0ooCz63msqcRM08rVi', '_1VlgYUV8S6zLySarc50fuyjTrzMAVR5KyM', 'nT6e0fKSnxd8qv1KFSdMUPnCE1nBGX7SDy', 'oPIpiMiejMw8TyLRoQ7VevsQBzUWNC5Qno', '_3JOBGturmzfrWhVFdXi4swnN8pftftI25A', '_2caYB2Zw2k7U8DR0O4cc4X6NeX1rjIEv3v', 'a0rmiy6WZzbbiwX8iHlAqcKWBRhw1ZKuCO'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, lSnlyeG1tl5KQkwD8NclIaFnT7i7LfXEik.cs	High entropy of concatenated method names: 'SqPdoywPFn04FJsIhIjYJynBTBUBhkcgPy', 'hepLC7MDRzkmKzzMQy3Ishnne9eRU3J47O', 'i2eVWW15crSKwLffkqP4B262FqX0N1UCAi', '_4PbWIlZGrbHZVqWCUzRTCgVimiAS88fcpD', 'SS22hw4cvc8Al7FNVPrvKYwmToVCgYP1gp', 'v162s1m0TmuI2HMVuZ2XrbQgyUzHfNF2ts', 'BTmi22SqBaOgLnbAxDJqm4Pa8FId9dRrTe', 'wOWU4U5L6FG0eWWIcuIzKFqrhkLMWkGERr', 'L8GYlRBERVJxwfGiESrGYRvF6yJLhAxq8h', 'pyy936QW1sMycFhiBtct3TrELaVCH74pRa'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, exr3iDBYtIdTTcddWoA4CCbzNPKIuJGTaM.cs	High entropy of concatenated method names: '_9iegpGDtJbfK2aqRy9UiIXStmuPAgPL77f', 'reNDzxclNtB1Mmtb3GyTq5nlRjnhzcyiVT', 'M9k8c8qB1PK70urQxEO2Og7cv5ZwNrI1Ea', 'fPmYGq9VcjEyEHoHZhf7boRNWHP9qzOUCC', 'Hkssw45dYNVC38LsBqgoxwxL8FdwDdVelQ', 'eLt3ijCZSwNHLUXeCzOH2NwQQCEnQDf0lY', '_0rXZS3snI76q0nD4rVguwmWneEdJbKX0Ic', '_6sRz153lQrhVLuAVh3bLlRyqtCn9vWoqn5', 'xNcck2lUSW9CMCpZ5JgWO4ZrGHyg2JQmBV', 's9ULWO4sPROQzS51wchU3OnnEjUSlSACcT'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, l7FfIASus9c8vyY0D43xwGPRrnKyG6qUaC.cs	High entropy of concatenated method names: 'eT8SBGXb7pO5Me9JgNuYemrbTsKueDNATB', '_3xMOOF9BHl9e2afKtbXIG5PO1vJ4COBoifgI6IsMomnIgWPS2d0jBee4rNUXz40KOblvZofeeE3hH4OfiLfc', 'n9H8kfAXkOquWVWdUkoGex7HhQ72YrCc4PTa9puj3MhKxP2Ddr4wFulQzf2ZqP4PNULHXgSc6NnIGvBZ1d93', 'AQZa4zAa1Jq467vDC7cwZ99RjYFyzt2hsbi3b6NwIgvWD3IXotskm9lhRJOINhsnEY2Z4jasPKWMdawotm88', 'JzZnzPaK60MHF1GhSvQKjAVxcaSfqE9iH36PrgSDVnhWt0qsaKjraKsDXy50nLcdMWNbc941v7t8woWgQGVV'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, UoyADBoJtM9OU8f6Bbpxit6W2v6nAPYc5E.cs	High entropy of concatenated method names: 'NOC81tgrhaMEvZFKfFS1vB4pMjzFkdKFjE', 'PWp7itE6MA7Q6Mt6BDU15Vp2d46qne3vDP', 'kBNeHrrMd2yyOTO8RLHtgecDIYlEayaroB', 'wwFuW5mlYgGtfLhRBlo8iWNrFa4LtFBBI3', 'eUjStOd1tRgbyHoJzcgx3kD08m2QkBdFiZ', 'lF3UmHXRLMMNiI2wYNe1EOSj9oF2gSOwHs', 'dm5F6FIuOnB9NU4YpDVy2lD3WyYLYQ1U92', 'EbKRSNC8Ar6f9SSgJJMloythXlRNbrUgxt', 'U9MDMV2qX0fme01XgcIlFHK6uax6PkFmRb', 'Z6ncaO2On6MqZqqlAhEboOBdExFIhoxNPk'
Source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, eQt59Ta96LVHJWsPR9UTXKGcK74ouYhstV.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'LCSo9sSuwXZM1gRSBlBoig5fm9Wa49L1UO', 'OWEu2tda9MuWposFbiLoOnDpTvOzDAvfhrxZc3JwbZme9qkvGeKFrvadnUKsnx9C18SIYbwlMKLIXEPOdpuB', '_79XQMJdP2nGQE8BuDvji79HJDnx3a6kPOXzbTP7lW01HwJMysl53TVOxRNQFXNXsACxjYrLvgsFeUxHqSF8k', '_13tFW9Eyzw5spEi7ZzJK7ye9KhiPgI0Cxcu7CxYaZAPB3Z14YMr6k26Y5wEUo6r3RPwReDxnNwU5MzG9tR2w', 'QLqFvKO4cKP6lTZR0O1KMo7LCIdxjwTuwbC1o5YL0zLoe1l5KbxkZX9XfSYhFH4fturIxpgRVqCiXwsRCeZx'

Drops PE files

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	File created: C:\Users\user\AppData\Roaming\KUPAL.exe			Jump to dropped file
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	File created: C:\Users\user\AppData\Roaming\ADWASl.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Memory allocated: 1ACF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Memory allocated: 1AA60000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7750	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1881	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7608	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6978
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1217
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6900
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7433
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2113
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1066
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7123
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 958

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2224	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5544	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep count: 6978 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5280	Thread sleep count: 1217 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4184	Thread sleep count: 6900 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3756	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5916	Thread sleep count: 2715 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep count: 7433 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1592	Thread sleep count: 2113 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2056	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 7123 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep count: 1117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep count: 6329 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1524	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep count: 958 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: ADWASl.exe, 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: vmware
Source: UH7iNNKgPW.exe, 00000000.00000002.2119347657.000000001B948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Roaming\KUPAL.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\KUPAL.exe "C:\Users\user\AppData\Roaming\KUPAL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Process created: C:\Users\user\AppData\Roaming\ADWASl.exe "C:\Users\user\AppData\Roaming\ADWASl.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KUPAL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADWASl.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\system user'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe	Queries volume information: C:\Users\user\Desktop\UH7iNNKgPW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KUPAL.exe	Queries volume information: C:\Users\user\AppData\Roaming\KUPAL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ADWASl.exe	Queries volume information: C:\Users\user\AppData\Roaming\ADWASl.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\UH7iNNKgPW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.KUPAL.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d33750.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ADWASl.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UH7iNNKgPW.exe.12d16908.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2119186430.0000000012CF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2117323829.0000000000E92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2118174908.0000000000682000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UH7iNNKgPW.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KUPAL.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADWASl.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\KUPAL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ADWASl.exe, type: DROPPED

ID:	1561583
Product:	CloudBasic
Start time:	20:57:06
Start date:	23.11.2024
Sample:	UH7iNNKgPW.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f01ac0aa6cfa3465c7a940f9a1fac989
SHA1:	a04194eee58ce77420a4d38e0db26d1016e30df1
SHA256:	cd330adb64da87d5cd0e2cb83d84cfb0dd8501c915ba5b17cbd3ef2ac8e640d7
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UH7iNNKgPW.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0laiuu5a.43r.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q1o4an5.5xs.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qhksazs.y2i.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rjljiwu.x1w.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55pkjazo.w12.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5axlstur.qxb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfyfzqj0.3xz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3orsoly.e4g.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3umcrtz.wcy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpyndwbw.qgo.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3znqaiw.sbj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fezj51pd.lfs.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ha4qrnbm.wdr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huvki03i.bg3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz5lerdo.ij2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5bs2wk2.svb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5h3poes.q1x.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdiva3sm.osh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msa4nzto.d4u.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nyeksvtm.nqj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsxdcpbk.wnw.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvxsy0z5.bim.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzo4arj3.2gi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdwq2z1i.jwe.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tihjq4gb.off.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmqovp4e.hxh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrioal35.3nl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyo5mbyo.2va.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vysfs1ih.zqi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbaiktln.csg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsnyxakx.03b.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z23u4h5e.be3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\ADWASl.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	AD125269D35F20666B5522166259AC39	CDF6E0AA20555380073CC3ADB889AA646BBEE132	33A8BD9E272BE246315CA7E0B4BF76DE70B56A50B2DF7173CD581FE6B17A3BC8
C:\Users\user\AppData\Roaming\KUPAL.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	836B78CBD0059751654B1E8B56F1B429	E0B50529BF27D8EA46DA86AD70FCFE2D6DE2D025	520CEE13F03430266DAD1BD26F0B4989CF345607FE7D6C45FD69BA4804F91ACB

Windows Analysis Report
UH7iNNKgPW.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report UH7iNNKgPW.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
UH7iNNKgPW.exe

Malware Threat Intel
Provided by