Windows Analysis Report
aS4XS9m23e.exe

Overview

General Information

Sample name: aS4XS9m23e.exe
renamed because original name is a hash value
Original sample name: a1c682e062a48d9c0b1a1c2d818873e7.exe
Analysis ID: 1501227
MD5: a1c682e062a48d9c0b1a1c2d818873e7
SHA1: bed463472dac1ea86538e3627a84c268df713df5
SHA256: ac16409881c939baaca90116feba3724f5d6aed3dc7ca00672dfee067c72c2ae
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["85.209.133.187:1912"], "Bot Id": "BIN", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: aS4XS9m23e.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: aS4XS9m23e.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: aS4XS9m23e.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: aS4XS9m23e.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RCDR.pdbSHA256= source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr
Source: Binary string: RCDR.pdb source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49731 -> 85.209.133.187:1912
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49730 -> 85.209.133.187:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 85.209.133.187:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49731 -> 85.209.133.187:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 85.209.133.187:1912 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 85.209.133.187:1912 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 85.209.133.187:1912 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 85.209.133.187:1912 -> 192.168.2.4:49731
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 85.209.133.187:1912
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 85.209.133.187:1912
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: unknown TCP traffic detected without corresponding DNS query: 85.209.133.187
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.00000000026C7000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1750753728.000000000281F000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000326B000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000331E000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000329C000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000329C000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003316000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003294000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003294000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Detected potential crypto function
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_0225D5DC 0_2_0225D5DC
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A357AA 0_2_07A357AA
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A357B8 0_2_07A357B8
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A32327 0_2_07A32327
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A32338 0_2_07A32338
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A30C90 0_2_07A30C90
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A32C10 0_2_07A32C10
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A30858 0_2_07A30858
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 7_2_02BEDC74 7_2_02BEDC74
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_00E6D5DC 8_2_00E6D5DC
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A07388 8_2_05A07388
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A052C8 8_2_05A052C8
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A03C50 8_2_05A03C50
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A09F10 8_2_05A09F10
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A026C8 8_2_05A026C8
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A026D8 8_2_05A026D8
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A052BA 8_2_05A052BA
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A03228 8_2_05A03228
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A03218 8_2_05A03218
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A03C15 8_2_05A03C15
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A09F00 8_2_05A09F00
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A09900 8_2_05A09900
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A098F0 8_2_05A098F0
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_02E3DC74 12_2_02E3DC74
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_054CEE58 12_2_054CEE58
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_054C8850 12_2_054C8850
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_054C0040 12_2_054C0040
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_054C0006 12_2_054C0006
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_054C8840 12_2_054C8840
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05ADB5B0 12_2_05ADB5B0
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05AD96C8 12_2_05AD96C8
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05AD7660 12_2_05AD7660
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05ADB170 12_2_05ADB170
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05ADB9E8 12_2_05ADB9E8
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05AD6928 12_2_05AD6928
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AB228 12_2_067AB228
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AC848 12_2_067AC848
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AA908 12_2_067AA908
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AF660 12_2_067AF660
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AF650 12_2_067AF650
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AB219 12_2_067AB219
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067A30E0 12_2_067A30E0
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067AC838 12_2_067AC838
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067A92C8 12_2_067A92C8
Sample file is different than original file name gathered from version info
Source: aS4XS9m23e.exe, 00000000.00000002.1724802320.0000000004F20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1725569609.0000000007D50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.00000000023E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.000000000422A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000000.1691055371.0000000000112000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRCDR.exe( vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1727285984.000000000B776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1727285984.000000000B776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRCDR.exe( vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.0000000002404000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1704789511.000000000066E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.000000000245A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1819381063.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefirefox.exe0 vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome.exe< vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXED vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsedge.exe> vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe, 00000007.00000002.1820320958.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs aS4XS9m23e.exe
Source: aS4XS9m23e.exe Binary or memory string: OriginalFilenameRCDR.exe( vs aS4XS9m23e.exe
Uses 32bit PE files
Source: aS4XS9m23e.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: aS4XS9m23e.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mjCLFIohWTlhgd.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.cs Security API names: _0020.SetAccessControl
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.cs Security API names: _0020.SetAccessControl
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, R8S4YJKjS79XM3F61y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, R8S4YJKjS79XM3F61y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.aS4XS9m23e.exe.4f20000.10.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.aS4XS9m23e.exe.245e390.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.aS4XS9m23e.exe.244a74c.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/15@0/1
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File created: C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp Jump to behavior
Source: aS4XS9m23e.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: aS4XS9m23e.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: aS4XS9m23e.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File read: C:\Users\user\Desktop\aS4XS9m23e.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe"
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: aS4XS9m23e.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: aS4XS9m23e.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: aS4XS9m23e.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RCDR.pdbSHA256= source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr
Source: Binary string: RCDR.pdb source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: aS4XS9m23e.exe, FormMain.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: mjCLFIohWTlhgd.exe.0.dr, FormMain.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.aS4XS9m23e.exe.4ce0000.9.raw.unpack, PingPong.cs .Net Code: _202B_206B_206C_202A_206A_202A_200D_200F_200B_202D_206D_202A_206D_206E_206A_202B_200F_200D_202B_202B_202D_206C_200F_206C_206A_206E_200C_202D_206F_206D_206A_202D_200C_200D_200E_206D_200E_202D_206E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.aS4XS9m23e.exe.34045c0.6.raw.unpack, PingPong.cs .Net Code: _202B_206B_206C_202A_206A_202A_200D_200F_200B_202D_206D_202A_206D_206E_206A_202B_200F_200D_202B_202B_202D_206C_200F_206C_206A_206E_200C_202D_206F_206D_206A_202D_200C_200D_200E_206D_200E_202D_206E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.cs .Net Code: fn5TswrbXPesOPsTicT System.Reflection.Assembly.Load(byte[])
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.cs .Net Code: fn5TswrbXPesOPsTicT System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: aS4XS9m23e.exe Static PE information: 0xEE1E000E [Sat Aug 4 18:31:42 2096 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A38F45 push FFFFFF8Bh; iretd 0_2_07A38F47
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 0_2_07A35BE0 push esp; ret 0_2_07A35BE1
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 7_2_02BEC1E1 push cs; retf 7_2_02BEC1EE
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 7_2_02BE47D7 push ebp; ret 7_2_02BE483D
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Code function: 7_2_02BE983A push eax; retf 7_2_02BE983B
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A0268B push esp; ret 8_2_05A0268C
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 8_2_05A059CE push 69FFFFFEh; ret 8_2_05A059D3
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_054CD442 push eax; ret 12_2_054CD451
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05AD8C90 push ecx; ret 12_2_05AD8EE2
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_05AD8E90 push ecx; ret 12_2_05AD8EE2
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067A75DC push 8BD08BFCh; iretd 12_2_067A75E1
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Code function: 12_2_067A7A92 push 8BD08BFCh; iretd 12_2_067A7A97
Source: aS4XS9m23e.exe Static PE information: section name: .text entropy: 7.827386336620395
Source: mjCLFIohWTlhgd.exe.0.dr Static PE information: section name: .text entropy: 7.827386336620395
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, R8S4YJKjS79XM3F61y.cs High entropy of concatenated method names: 'FfDXvohTcS', 'UhxXYCsXJe', 'znCXDmeATt', 'IliX86Ofuj', 'h2VXphg2j1', 'LvOXRcjcZd', 'HsiX1jh0bY', 'QoZX3THgJ7', 's1FXlBhm9K', 'fyoXrKlbU1'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, zAxyIpwTKhnef4K7Nv.cs High entropy of concatenated method names: 'HxPiGsF9bb', 'BQjiNk8wDs', 'fytdjg4H2Q', 'dT2d6Md6UJ', 'kXddnqXiwI', 'J5adOdJcdu', 'oNrdqQaALg', 'Tg8dATJvu2', 'bdWdhsUSxU', 'JIKdB7j6Rv'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, WFU9KKJA5xKyctnM2Z.cs High entropy of concatenated method names: 'OSvQa8S4YJ', 'HS7Qo9XM3F', 'dfrQ9NoViC', 'lwDQ72MAxy', 'vK7QgNvqRV', 'SrjQPkL5TF', 'NJ3TvCIsGVLhwJm7x2', 'n9hKlaFDwDNUtQwjS1', 'DZ7QQBaupv', 'qKtQcWh1B5'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, FRButebDvSMlp4EWM0.cs High entropy of concatenated method names: 'hGTY7p6japrTPaa9JNu', 'jqQ75b6GMUU8bCE55eI', 'zDWksYhrX2', 'KbvkC5HseB', 'HRQkTqaXD7', 'srJVQd63reVKHbMgXjS', 'hfUBiQ6cLYJAS1E3yil', 'MKYX6o68xtXd7hHc6sV'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, QqIB8XXbskoyyUDO29.cs High entropy of concatenated method names: 'Dispose', 'YhCQloIRE3', 'pWUEbF5X9D', 'Gpqee9gSF4', 'gBkQrYKcgu', 'qXiQz27w25', 'ProcessDialogKey', 'HscEVHD9Pf', 'mUpEQPvnhW', 'cRnEESW7CB'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, BIwkGYdbdIvNJ2eTjq.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'topElYP9h4', 'PUfEra9DVu', 'O3mEzo68Yf', 'NgCcVEF1m4', 'v2kcQiMjZq', 'UQxcESKktE', 'JELccXZsuB', 'q1STGEr6O69up7UREVT'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, DDMeWyDwJlBT3BPtTq.cs High entropy of concatenated method names: 'ToString', 'jZJPLOuZWI', 'cS6Pb9xZ1G', 'DS5PjmNn80', 'amwP6CBAff', 'rKyPnH3huG', 'NlTPOqEHmU', 'FHbPq1WKFY', 'DBSPAOTPWw', 'GvUPhMlyl6'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, o8lBHfRxpS5EawtT34.cs High entropy of concatenated method names: 'HBMx3Rfgrp', 'sC7xrYBd0H', 'z8ksVr53YJ', 'DjssQnXq5g', 'gNOxLnS338', 'Bckx03KM3Q', 'lFdxItxas9', 'LYYxv28ht5', 'kjQxYknRIo', 'jHvxDF45hr'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, brw85TEd7RapdvLqKK.cs High entropy of concatenated method names: 'IPjMJ0Y86', 'OBq2EWQuk', 'TgkSyElB5', 'jegN4pGfh', 'tB9mc0yl9', 'tLnwyTuMq', 'WihXxYOO5w65aZJA0V', 'R4XY34NEuctyvqX3fU', 'JoOsJAVll', 'scwTLw7lc'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, pyj4hWQcGquiBcRb4yO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UhgTvWxAJP', 'mNZTYDaCOu', 'Jl7TDTqAar', 'bVKT82Lyst', 'bsmTpaIpk7', 'HhmTRY600Q', 'jEqT1KhHKP'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, IRJXpUQVdUfGuHIwlYH.cs High entropy of concatenated method names: 'U6oCZRqgGs', 'XPZC5NA5tr', 'vKCCMLDokZ', 'QZGC2L8GlV', 'MLXCGiGqLo', 's8bCSJf39m', 'j5jCNisyjG', 'sZGCKYXwb7', 'uRwCmT40an', 'UbSCw1hYow'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, dHD9Pfl9UpPvnhWcRn.cs High entropy of concatenated method names: 'ibtsuEuuvM', 'Y4MsbAUCw2', 'SIVsjRTNC4', 'byIs68x49Q', 'wKCsvrw3UJ', 'cfcsnCB5H5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, FkWti3qZvcHhuARErS.cs High entropy of concatenated method names: 'WA6afCa0O2', 'k8fadxi5if', 'akTakpMol3', 'IcSkrcqKvM', 'SHckzoYbwj', 'IAbaV2rsEN', 'OGVaQp9bqI', 'GRsaEAVewA', 'e0gacXP7Ns', 'kZiaJ9X9dV'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, R1BKZNIvfU2wWRS7CK.cs High entropy of concatenated method names: 'wt4FKLlEJi', 'wMKFmmBn85', 'fXCFuLP3Kr', 'w21FbwgmiI', 'sDTF6jUVfv', 'cB4FnqvAXp', 's1VFqO5Jay', 'xslFATIJqS', 'vG1FBi30KE', 'hBmFLJSaQB'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, NkYKcg3usXi27w25js.cs High entropy of concatenated method names: 'mlCsfm45hm', 'kIVsXWfoMx', 'jbrsdLVaDT', 'eSKsikejPA', 'HgwskUJNq3', 'RpSsaqLcGG', 'SfRsowi3BM', 'kWWsHJopS2', 'chxs96U7Ns', 'spts7Mc2Sp'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, IYRikavddLvq8ZhnHY.cs High entropy of concatenated method names: 'gZ2gBaEiBJ', 'EC7g0E9A3D', 'A4bgv6bwTA', 'lwBgYqGLPM', 'OSwgbR6qTl', 'KlYgjIyVRm', 'iCMg6KPADW', 'Gcwgn4rSqE', 'uTYgO2BWdV', 'M0Agq35Gkp'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, j6JrWi8mtm7M3mOwCy.cs High entropy of concatenated method names: 'wRgx9qSqkd', 'jYXx7TFuul', 'ToString', 'kt5xfqOobQ', 'FsaxX4BR5l', 'fCqxdFUWKb', 'oGOxi9jQsn', 'eohxkPP2N6', 'Bl0xayjoIj', 'KJWxo9J3mk'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.cs High entropy of concatenated method names: 'pEAcyPhptD', 'l7RcfmIX1x', 'vnacXR5imR', 'moxcd3om5b', 'g3icitNb5B', 'EG7ck2ly02', 'SUocafTqtN', 'neHcoFCpTJ', 'nm6cHcwFb6', 'EMEc9bt8d4'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, BW7CBHr7yd8eYI7iuI.cs High entropy of concatenated method names: 'j22CQPF8R3', 'Vk5CcmYdtj', 'F1QCJqY6v1', 'yBRCfp8AJ5', 'UZFCXhZSIC', 'i5LCiGa1EA', 'c92CkIbkvl', 'fv9s1Gv8Ln', 'dvxs3iE4da', 'Om4sloWhjq'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, iawlVJmfrNoViCHwD2.cs High entropy of concatenated method names: 'XeFd2utP7q', 'S9VdSxSx0V', 'dRhdKTelS7', 'dQgdmM19s8', 'ES3dgtrrDJ', 'XAIdP323RM', 'zmtdxW2HIR', 'nJkdsScFVE', 'uG7dCPG3KH', 'EZ8dTo7ppr'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, KRVDrjukL5TFTGeb51.cs High entropy of concatenated method names: 'JT1kyCD5uD', 'oY3kXfKb29', 'qufkie1FNQ', 'F2qkaZAMuS', 'uhtkoTgmdm', 'LLhipIDYYF', 'nUliRM5HNg', 'R9Xi1WHDto', 'Eu3i3GGalY', 'va6ilkLstF'
Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, Jc68PPhxOf9FN6n7TO.cs High entropy of concatenated method names: 'yIPaZqGyf8', 'vXia5hG2cB', 'EFaaMxhyHo', 'RSpa275tyi', 'DRWaGADwKA', 'AWaaSr3JKP', 'qTVaNXyQLJ', 'N4baKomYc6', 'W0bamfAptJ', 'unCawhilSD'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, R8S4YJKjS79XM3F61y.cs High entropy of concatenated method names: 'FfDXvohTcS', 'UhxXYCsXJe', 'znCXDmeATt', 'IliX86Ofuj', 'h2VXphg2j1', 'LvOXRcjcZd', 'HsiX1jh0bY', 'QoZX3THgJ7', 's1FXlBhm9K', 'fyoXrKlbU1'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, zAxyIpwTKhnef4K7Nv.cs High entropy of concatenated method names: 'HxPiGsF9bb', 'BQjiNk8wDs', 'fytdjg4H2Q', 'dT2d6Md6UJ', 'kXddnqXiwI', 'J5adOdJcdu', 'oNrdqQaALg', 'Tg8dATJvu2', 'bdWdhsUSxU', 'JIKdB7j6Rv'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, WFU9KKJA5xKyctnM2Z.cs High entropy of concatenated method names: 'OSvQa8S4YJ', 'HS7Qo9XM3F', 'dfrQ9NoViC', 'lwDQ72MAxy', 'vK7QgNvqRV', 'SrjQPkL5TF', 'NJ3TvCIsGVLhwJm7x2', 'n9hKlaFDwDNUtQwjS1', 'DZ7QQBaupv', 'qKtQcWh1B5'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, FRButebDvSMlp4EWM0.cs High entropy of concatenated method names: 'hGTY7p6japrTPaa9JNu', 'jqQ75b6GMUU8bCE55eI', 'zDWksYhrX2', 'KbvkC5HseB', 'HRQkTqaXD7', 'srJVQd63reVKHbMgXjS', 'hfUBiQ6cLYJAS1E3yil', 'MKYX6o68xtXd7hHc6sV'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, QqIB8XXbskoyyUDO29.cs High entropy of concatenated method names: 'Dispose', 'YhCQloIRE3', 'pWUEbF5X9D', 'Gpqee9gSF4', 'gBkQrYKcgu', 'qXiQz27w25', 'ProcessDialogKey', 'HscEVHD9Pf', 'mUpEQPvnhW', 'cRnEESW7CB'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, BIwkGYdbdIvNJ2eTjq.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'topElYP9h4', 'PUfEra9DVu', 'O3mEzo68Yf', 'NgCcVEF1m4', 'v2kcQiMjZq', 'UQxcESKktE', 'JELccXZsuB', 'q1STGEr6O69up7UREVT'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, DDMeWyDwJlBT3BPtTq.cs High entropy of concatenated method names: 'ToString', 'jZJPLOuZWI', 'cS6Pb9xZ1G', 'DS5PjmNn80', 'amwP6CBAff', 'rKyPnH3huG', 'NlTPOqEHmU', 'FHbPq1WKFY', 'DBSPAOTPWw', 'GvUPhMlyl6'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, o8lBHfRxpS5EawtT34.cs High entropy of concatenated method names: 'HBMx3Rfgrp', 'sC7xrYBd0H', 'z8ksVr53YJ', 'DjssQnXq5g', 'gNOxLnS338', 'Bckx03KM3Q', 'lFdxItxas9', 'LYYxv28ht5', 'kjQxYknRIo', 'jHvxDF45hr'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, brw85TEd7RapdvLqKK.cs High entropy of concatenated method names: 'IPjMJ0Y86', 'OBq2EWQuk', 'TgkSyElB5', 'jegN4pGfh', 'tB9mc0yl9', 'tLnwyTuMq', 'WihXxYOO5w65aZJA0V', 'R4XY34NEuctyvqX3fU', 'JoOsJAVll', 'scwTLw7lc'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, pyj4hWQcGquiBcRb4yO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UhgTvWxAJP', 'mNZTYDaCOu', 'Jl7TDTqAar', 'bVKT82Lyst', 'bsmTpaIpk7', 'HhmTRY600Q', 'jEqT1KhHKP'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, IRJXpUQVdUfGuHIwlYH.cs High entropy of concatenated method names: 'U6oCZRqgGs', 'XPZC5NA5tr', 'vKCCMLDokZ', 'QZGC2L8GlV', 'MLXCGiGqLo', 's8bCSJf39m', 'j5jCNisyjG', 'sZGCKYXwb7', 'uRwCmT40an', 'UbSCw1hYow'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, dHD9Pfl9UpPvnhWcRn.cs High entropy of concatenated method names: 'ibtsuEuuvM', 'Y4MsbAUCw2', 'SIVsjRTNC4', 'byIs68x49Q', 'wKCsvrw3UJ', 'cfcsnCB5H5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, FkWti3qZvcHhuARErS.cs High entropy of concatenated method names: 'WA6afCa0O2', 'k8fadxi5if', 'akTakpMol3', 'IcSkrcqKvM', 'SHckzoYbwj', 'IAbaV2rsEN', 'OGVaQp9bqI', 'GRsaEAVewA', 'e0gacXP7Ns', 'kZiaJ9X9dV'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, R1BKZNIvfU2wWRS7CK.cs High entropy of concatenated method names: 'wt4FKLlEJi', 'wMKFmmBn85', 'fXCFuLP3Kr', 'w21FbwgmiI', 'sDTF6jUVfv', 'cB4FnqvAXp', 's1VFqO5Jay', 'xslFATIJqS', 'vG1FBi30KE', 'hBmFLJSaQB'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, NkYKcg3usXi27w25js.cs High entropy of concatenated method names: 'mlCsfm45hm', 'kIVsXWfoMx', 'jbrsdLVaDT', 'eSKsikejPA', 'HgwskUJNq3', 'RpSsaqLcGG', 'SfRsowi3BM', 'kWWsHJopS2', 'chxs96U7Ns', 'spts7Mc2Sp'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, IYRikavddLvq8ZhnHY.cs High entropy of concatenated method names: 'gZ2gBaEiBJ', 'EC7g0E9A3D', 'A4bgv6bwTA', 'lwBgYqGLPM', 'OSwgbR6qTl', 'KlYgjIyVRm', 'iCMg6KPADW', 'Gcwgn4rSqE', 'uTYgO2BWdV', 'M0Agq35Gkp'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, j6JrWi8mtm7M3mOwCy.cs High entropy of concatenated method names: 'wRgx9qSqkd', 'jYXx7TFuul', 'ToString', 'kt5xfqOobQ', 'FsaxX4BR5l', 'fCqxdFUWKb', 'oGOxi9jQsn', 'eohxkPP2N6', 'Bl0xayjoIj', 'KJWxo9J3mk'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.cs High entropy of concatenated method names: 'pEAcyPhptD', 'l7RcfmIX1x', 'vnacXR5imR', 'moxcd3om5b', 'g3icitNb5B', 'EG7ck2ly02', 'SUocafTqtN', 'neHcoFCpTJ', 'nm6cHcwFb6', 'EMEc9bt8d4'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, BW7CBHr7yd8eYI7iuI.cs High entropy of concatenated method names: 'j22CQPF8R3', 'Vk5CcmYdtj', 'F1QCJqY6v1', 'yBRCfp8AJ5', 'UZFCXhZSIC', 'i5LCiGa1EA', 'c92CkIbkvl', 'fv9s1Gv8Ln', 'dvxs3iE4da', 'Om4sloWhjq'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, iawlVJmfrNoViCHwD2.cs High entropy of concatenated method names: 'XeFd2utP7q', 'S9VdSxSx0V', 'dRhdKTelS7', 'dQgdmM19s8', 'ES3dgtrrDJ', 'XAIdP323RM', 'zmtdxW2HIR', 'nJkdsScFVE', 'uG7dCPG3KH', 'EZ8dTo7ppr'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, KRVDrjukL5TFTGeb51.cs High entropy of concatenated method names: 'JT1kyCD5uD', 'oY3kXfKb29', 'qufkie1FNQ', 'F2qkaZAMuS', 'uhtkoTgmdm', 'LLhipIDYYF', 'nUliRM5HNg', 'R9Xi1WHDto', 'Eu3i3GGalY', 'va6ilkLstF'
Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, Jc68PPhxOf9FN6n7TO.cs High entropy of concatenated method names: 'yIPaZqGyf8', 'vXia5hG2cB', 'EFaaMxhyHo', 'RSpa275tyi', 'DRWaGADwKA', 'AWaaSr3JKP', 'qTVaNXyQLJ', 'N4baKomYc6', 'W0bamfAptJ', 'unCawhilSD'
Drops PE files
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: aS4XS9m23e.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 6432, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 2250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 23E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 43E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 5640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 6640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 6770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 7770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 7DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 8DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 9DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: ADE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 1240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 2CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: 2A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 27F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 47F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 5B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 6B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 6C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 7C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 8410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 5B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 2D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Memory allocated: 2D40000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5127 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5013 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 367 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Window / User API: threadDelayed 943 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Window / User API: threadDelayed 2821 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Window / User API: threadDelayed 1542
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Window / User API: threadDelayed 3865
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\aS4XS9m23e.exe TID: 6720 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096 Thread sleep count: 5127 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5840 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe TID: 5312 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe TID: 1928 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe TID: 4192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe TID: 7076 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe TID: 5672 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Thread delayed: delay time: 922337203685477
Source: aS4XS9m23e.exe, 00000000.00000002.1704789511.00000000006D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
Source: aS4XS9m23e.exe, 00000007.00000002.1820320958.000000000107C000.00000004.00000020.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1850838372.00000000010F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 9%fvmci0[P@
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Memory written: C:\Users\user\Desktop\aS4XS9m23e.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp" Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Process created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Process created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Users\user\Desktop\aS4XS9m23e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Users\user\Desktop\aS4XS9m23e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\aS4XS9m23e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\aS4XS9m23e.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aS4XS9m23e.exe.419ce80.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aS4XS9m23e.exe.419ce80.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.aS4XS9m23e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aS4XS9m23e.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aS4XS9m23e.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 6432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 7112, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR^q0
Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR^q
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1865799472.0000000006400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*S
Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\aS4XS9m23e.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aS4XS9m23e.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 7112, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aS4XS9m23e.exe.419ce80.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aS4XS9m23e.exe.419ce80.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.aS4XS9m23e.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aS4XS9m23e.exe PID: 6644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aS4XS9m23e.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 6432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 7112, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501227 Sample: aS4XS9m23e.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 8 other signatures 2->56 8 aS4XS9m23e.exe 7 2->8         started        12 mjCLFIohWTlhgd.exe 5 2->12         started        process3 file4 40 C:\Users\user\AppData\...\mjCLFIohWTlhgd.exe, PE32 8->40 dropped 42 C:\...\mjCLFIohWTlhgd.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpA2E9.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\aS4XS9m23e.exe.log, ASCII 8->46 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 68 2 other signatures 8->68 14 aS4XS9m23e.exe 5 3 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 24 mjCLFIohWTlhgd.exe 12->24         started        26 schtasks.exe 12->26         started        signatures5 process6 dnsIp7 48 85.209.133.187, 1912, 49730, 49731 CMCSUS Germany 14->48 70 Loading BitLocker PowerShell Module 18->70 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        72 Found many strings related to Crypto-Wallets (likely being stolen) 24->72 74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 76 Tries to steal Crypto Currency Wallets 24->76 36 conhost.exe 26->36         started        signatures8 process9 process10 38 conhost.exe 28->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.209.133.187
 unknown Germany
33657 CMCSUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
85.209.133.187:1912 true
  • Avira URL Cloud: safe
 unknown