Windows Analysis Report
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Overview

General Information

Sample name:	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Analysis ID:	1528881
MD5:	70566f5275ea7ac9fca0ebd9c31bb101
SHA1:	6957d5f073ccf99c3a65563ad70d7fca33839250
SHA256:	5602833d8b536edfbf979eb740f3345c291a68fc11f868dca1bef92f722420fa
Tags:	AsyncRATexeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for domain / URL

Source: 104.250.180.178

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\XClient.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	ReversingLabs: Detection: 18%
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: 104.250.180.178
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: 7061
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: XWorm V5.2
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: USB.exe
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: %AppData%
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: XClient.exe

Uses 32bit PE files

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: SmhB.pdb source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr
Source:	Binary string: SmhB.pdbSHA256 source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49763 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49763 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49763 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49763 -> 104.250.180.178:7061

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 00000009.00000002.2230293062.0000000007739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000007.00000002.2183561020.00000000075C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miE
Source: powershell.exe, 00000004.00000002.2145777627.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000007.00000002.2186717140.0000000008582000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000007.00000002.2164444713.000000000307B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microz
Source: powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2204031498.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.000000000550F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_00ADF044	0_2_00ADF044
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F926E8	0_2_04F926E8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F926D7	0_2_04F926D7
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6BB48	0_2_06B6BB48
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6F5E8	0_2_06B6F5E8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6F1B0	0_2_06B6F1B0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6ED78	0_2_06B6ED78
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6ED68	0_2_06B6ED68
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6BB38	0_2_06B6BB38
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6E940	0_2_06B6E940
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08963A50	0_2_08963A50
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_0896D3D4	0_2_0896D3D4
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08961340	0_2_08961340
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB6225	3_2_02DB6225
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB4AC8	3_2_02DB4AC8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB3EC0	3_2_02DB3EC0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E027B8	3_2_05E027B8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E0C610	3_2_05E0C610
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E078F0	3_2_05E078F0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E03088	3_2_05E03088
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E072D8	3_2_05E072D8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E02470	3_2_05E02470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028CB4A0	4_2_028CB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028CB490	4_2_028CB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C8B4A0	9_2_04C8B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C8B490	9_2_04C8B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08D93AA8	9_2_08D93AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0486B490	12_2_0486B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08983A98	12_2_08983A98

Sample file is different than original file name gathered from version info

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000000.2075560196.0000000000580000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2089473163.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087858423.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4545201691.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4548061176.0000000005FF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Uses 32bit PE files

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@0/1

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	ReversingLabs: Detection: 18%
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Virustotal: Detection: 28%

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

String found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File read: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.3.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SmhB.pdb source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr
Source:	Binary string: SmhB.pdbSHA256 source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2b99d98.1.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.5560000.5.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: 0xB1B46C76 [Sun Jun 22 20:17:58 2064 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F9B8B0 push eax; mov dword ptr [esp], ecx	0_2_04F9B8B4
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08965648 pushfd ; iretd	0_2_089656F9
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_089656F0 pushfd ; iretd	0_2_089656F9
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08965638 pushad ; iretd	0_2_08965639
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E04488 pushfd ; ret	3_2_05E04489
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E043A8 push eax; ret	3_2_05E043A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C636D push eax; ret	4_2_028C6381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C3AA8 push ebx; retf	4_2_028C3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C3A63 push ebx; retf	4_2_028C3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C2D09 push 04B8070Fh; retf	4_2_028C2D0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_078E1BCC pushfd ; retf	7_2_078E1BD5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C850E8 pushfd ; ret	9_2_04C85092
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C842ED push esi; ret	9_2_04C84312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C842A8 push esi; ret	9_2_04C84312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C873C0 pushfd ; rep ret	9_2_04C873D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C86378 push eax; ret	9_2_04C86381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A41743 push 08C3A9B8h; ret	9_2_07A41763
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A43596 push eax; iretd	9_2_07A435A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A42CA8 pushad ; retf	9_2_07A43279
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08D95298 push 7DE8C88Bh; ret	9_2_08D952A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0486629D push eax; ret	12_2_04866351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04865DDB push esp; ret	12_2_04865DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04865EF0 push 8B05A323h; retf	12_2_04865EF5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_048668FC pushad ; ret	12_2_04866903
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04866820 push eax; ret	12_2_04866833

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Static PE information: section name: .text entropy: 7.628561188344063
Source: XClient.exe.3.dr	Static PE information: section name: .text entropy: 7.628561188344063

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'

Creates processes with suspicious names

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 8980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 9980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: AB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Window / User API: threadDelayed 6510	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Window / User API: threadDelayed 3313	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6898	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2787	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6230	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3565	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7414	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2322	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6630

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 1536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 3136	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 6660	Thread sleep count: 6510 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 6660	Thread sleep count: 3313 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2752	Thread sleep count: 6230 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep count: 3565 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5472	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 7414 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 2322 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530484778.0000000001074000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530484778.0000000001074000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	16%, Virustotal, Browse	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for domain / URL

Source: 104.250.180.178

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\XClient.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	ReversingLabs: Detection: 18%
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: 104.250.180.178
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: 7061
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: XWorm V5.2
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: USB.exe
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: %AppData%
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: XClient.exe

Uses 32bit PE files

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: SmhB.pdb source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr
Source:	Binary string: SmhB.pdbSHA256 source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49763 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49763 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49763 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49763 -> 104.250.180.178:7061

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 00000009.00000002.2230293062.0000000007739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000007.00000002.2183561020.00000000075C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miE
Source: powershell.exe, 00000004.00000002.2145777627.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000007.00000002.2186717140.0000000008582000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000007.00000002.2164444713.000000000307B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microz
Source: powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2204031498.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.000000000550F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_00ADF044	0_2_00ADF044
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F926E8	0_2_04F926E8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F926D7	0_2_04F926D7
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6BB48	0_2_06B6BB48
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6F5E8	0_2_06B6F5E8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6F1B0	0_2_06B6F1B0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6ED78	0_2_06B6ED78
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6ED68	0_2_06B6ED68
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6BB38	0_2_06B6BB38
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6E940	0_2_06B6E940
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08963A50	0_2_08963A50
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_0896D3D4	0_2_0896D3D4
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08961340	0_2_08961340
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB6225	3_2_02DB6225
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB4AC8	3_2_02DB4AC8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB3EC0	3_2_02DB3EC0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E027B8	3_2_05E027B8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E0C610	3_2_05E0C610
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E078F0	3_2_05E078F0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E03088	3_2_05E03088
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E072D8	3_2_05E072D8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E02470	3_2_05E02470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028CB4A0	4_2_028CB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028CB490	4_2_028CB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C8B4A0	9_2_04C8B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C8B490	9_2_04C8B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08D93AA8	9_2_08D93AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0486B490	12_2_0486B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08983A98	12_2_08983A98

Sample file is different than original file name gathered from version info

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000000.2075560196.0000000000580000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2089473163.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087858423.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4545201691.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4548061176.0000000005FF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Uses 32bit PE files

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@0/1

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	ReversingLabs: Detection: 18%
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Virustotal: Detection: 28%

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

String found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File read: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.3.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SmhB.pdb source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr
Source:	Binary string: SmhB.pdbSHA256 source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2b99d98.1.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.5560000.5.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: 0xB1B46C76 [Sun Jun 22 20:17:58 2064 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F9B8B0 push eax; mov dword ptr [esp], ecx	0_2_04F9B8B4
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08965648 pushfd ; iretd	0_2_089656F9
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_089656F0 pushfd ; iretd	0_2_089656F9
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08965638 pushad ; iretd	0_2_08965639
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E04488 pushfd ; ret	3_2_05E04489
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E043A8 push eax; ret	3_2_05E043A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C636D push eax; ret	4_2_028C6381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C3AA8 push ebx; retf	4_2_028C3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C3A63 push ebx; retf	4_2_028C3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C2D09 push 04B8070Fh; retf	4_2_028C2D0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_078E1BCC pushfd ; retf	7_2_078E1BD5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C850E8 pushfd ; ret	9_2_04C85092
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C842ED push esi; ret	9_2_04C84312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C842A8 push esi; ret	9_2_04C84312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C873C0 pushfd ; rep ret	9_2_04C873D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C86378 push eax; ret	9_2_04C86381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A41743 push 08C3A9B8h; ret	9_2_07A41763
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A43596 push eax; iretd	9_2_07A435A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A42CA8 pushad ; retf	9_2_07A43279
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08D95298 push 7DE8C88Bh; ret	9_2_08D952A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0486629D push eax; ret	12_2_04866351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04865DDB push esp; ret	12_2_04865DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04865EF0 push 8B05A323h; retf	12_2_04865EF5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_048668FC pushad ; ret	12_2_04866903
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04866820 push eax; ret	12_2_04866833

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Static PE information: section name: .text entropy: 7.628561188344063
Source: XClient.exe.3.dr	Static PE information: section name: .text entropy: 7.628561188344063

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'

Creates processes with suspicious names

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 8980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 9980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: AB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Window / User API: threadDelayed 6510	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Window / User API: threadDelayed 3313	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6898	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2787	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6230	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3565	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7414	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2322	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6630

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 1536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 3136	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 6660	Thread sleep count: 6510 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 6660	Thread sleep count: 3313 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2752	Thread sleep count: 6230 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep count: 3565 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5472	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 7414 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 2322 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530484778.0000000001074000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530484778.0000000001074000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608, type: MEMORYSTR

ID:	1528881
Product:	CloudBasic
Start time:	11:27:17
Start date:	08.10.2024
Sample:	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	70566f5275ea7ac9fca0ebd9c31bb101
SHA1:	6957d5f073ccf99c3a65563ad70d7fca33839250
SHA256:	5602833d8b536edfbf979eb740f3345c291a68fc11f868dca1bef92f722420fa
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	352C703F279BAC9E349C458DA3194776	6C28749AB71228B9F305A1EC56534A1D1842C397	04F3E4DF339CF918CAFD661E304CF1524357A716C140A24EC361E747BAD9224D
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	2C11513C4FAB02AEDEE23EC05A2EB3CC	59177C177B2546FBD8EC7688BAD19D08D32640DE	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ltnvgwb.qz5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gqqqfti.wmj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3g3v2mv4.c3k.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sqmsmr1.3rv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_doo1jfqc.i2f.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5dziafv.dvh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwix4mu4.0r2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2k3jbs1.g1g.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iykyorr3.3cb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyq5ekke.w2l.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqz4vs4g.ilf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlhegpbf.ejq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quqaejwr.03f.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t44uf1gc.dld.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytjs1ruy.w1v.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zibivij4.bkf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 8 08:28:39 2024, mtime=Tue Oct 8 08:28:39 2024, atime=Tue Oct 8 08:28:39 2024, length=512000, window=hide	B14DE0837D4710E0A57DCF4D793F1241	B48DD5C6E6649F4C0108DFC913004170E5A7A046	6C84E87451184C3C0544F95CA1E45DAF48CC147388802AD416807B2350E3BD68
C:\Users\user\AppData\Roaming\XClient.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	70566F5275EA7AC9FCA0EBD9C31BB101	6957D5F073CCF99C3A65563AD70D7FCA33839250	5602833D8B536EDFBF979EB740F3345C291A68FC11F868DCA1BEF92F722420FA

Windows Analysis Report
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Malware Threat Intel
Provided by