Windows Analysis Report
X.exe

AV Detection

Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Avira: detection malicious, Label: TR/Spy.Gen

Source: 0000000C.00000002.1710922848.0000000003161000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["22.ip.gl.ply.gg"], "Port": "54699", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	ReversingLabs: Detection: 81%

Source: X.exe

ReversingLabs: Detection: 63%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Joe Sandbox ML: detected

Source: X.exe

Joe Sandbox ML: detected

Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: 22.ip.gl.ply.gg
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: 54699
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: 1337
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: <Xwormmm>
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: Video
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: USB.exe
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: %LocalAppData%
Source: 13.0.Google Chrome.exe.610000.0.unpack	String decryptor: Google Chrome.exe

Compliance

Source: X.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Software Vulnerabilities

Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Source: Malware configuration extractor

URLs: 22.ip.gl.ply.gg

Source: Yara match	File source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 0000001A.00000002.2938908056.000001D0F6095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000011.00000002.2232854236.00000190DD0EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000011.00000002.2228425709.00000190DD0C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoqx8
Source: X.exe, 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, Google Chrome.exe, 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, Windows Defender.exe.0.dr, Google Chrome.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.1453442601.00000253ADBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1639554132.000002D22106F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1756386840.000001D510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2141274912.00000190D484F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2276113890.0000021E474EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1423076041.000002539DDA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C4A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E376A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1423076041.000002539DB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C47E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E37481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F59571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1423076041.000002539DDA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C4A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E376A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001A.00000002.2977692716.000001D0F8241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000009.00000002.1815371128.000001D5759FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000006.00000002.1685428644.000002D229630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1685721301.000002D22983D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.1423076041.000002539DB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C47E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E37481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F59571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1453442601.00000253ADBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1639554132.000002D22106F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1756386840.000001D510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2141274912.00000190D484F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2276113890.0000021E474EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\X.exe	Code function: 0_2_00007FFAAB780A31		0_2_00007FFAAB780A31
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB79208D		2_2_00007FFAAB79208D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAAB8430E9		6_2_00007FFAAB8430E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAB8630E9		9_2_00007FFAAB8630E9
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Code function: 11_2_00007FFAAB7A16E9		11_2_00007FFAAB7A16E9
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Code function: 11_2_00007FFAAB7A0E5E		11_2_00007FFAAB7A0E5E
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Code function: 11_2_00007FFAAB7A20C1		11_2_00007FFAAB7A20C1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Code function: 12_2_00007FFAAB7A16E9		12_2_00007FFAAB7A16E9
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Code function: 12_2_00007FFAAB7A0E5E		12_2_00007FFAAB7A0E5E
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Code function: 12_2_00007FFAAB7A20C1		12_2_00007FFAAB7A20C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFAAB8730E9		20_2_00007FFAAB8730E9
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Code function: 22_2_00007FFAAB7A16E9		22_2_00007FFAAB7A16E9
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Code function: 22_2_00007FFAAB7A0E5E		22_2_00007FFAAB7A0E5E
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Code function: 22_2_00007FFAAB7A20C1		22_2_00007FFAAB7A20C1
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Code function: 25_2_00007FFAAB7B16E9		25_2_00007FFAAB7B16E9
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Code function: 25_2_00007FFAAB7B0E5E		25_2_00007FFAAB7B0E5E
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Code function: 25_2_00007FFAAB7B20C1		25_2_00007FFAAB7B20C1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Windows Defender.exe 576D63BF309D5FB80B9D2683B21B8257D60DD2A8FA4974982D38EBFACE89FC47

Source: X.exe

Static PE information: No import functions for PE file found

Source: X.exe, 00000000.00000002.1747299745.000000000410D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogle Chrome.exe4 vs X.exe
Source: X.exe, 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogle Chrome.exe4 vs X.exe

Source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe.0.dr, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Google Chrome.exe.0.dr, EPF8Pua7qdV0S9h4vNzRF9epgA0dMGa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Google Chrome.exe.0.dr, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Google Chrome.exe.0.dr, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, EPF8Pua7qdV0S9h4vNzRF9epgA0dMGa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Windows Defender.exe.0.dr, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.cs	Base64 encoded string: 'zmJZIyrtAB6zwb1f3cBKTdulJiIzhjdwIuFClC8ghF0oFbRL03u0nsp4ST34knk0KtnLPPnziCwyaxeZ', 'KtAfEubdoqgU7cICy6SfkgZwYxxKlSU0UIxCrnYi9L7AC22NqLSInX5SQQOOQN6CqobVJrkVkSRLu20o'
Source: Windows Defender.exe.0.dr, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.cs	Base64 encoded string: 'qpfyq9LnqydLzmLMJoytp9RlcPGNbjoZuIELFFeGJvfgvccNxSqqeegPEwuRf2CGFbeXsv57wC2wvyeP', 'ZdBNKi2pAGVj0XJjnVbQ8IaqTnqqZjnoJJTCp5ceaYAia1GD9ahP3yfmg1uwKkbkgLo0VZZsMMQ3heHc', 'mePsIuQX1hkcDpPdDepj1WrO7MpylVcOPpPxsV1V8NiJOnfAoUDFkP5xFrEJBhLIgMLDd1fACeNhJEm7'
Source: Windows Defender.exe.0.dr, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.cs	Base64 encoded string: 'GPsvJuNjyTz65i2snoykbYCYGGsV9Vxx8jKabhUNwlOHrrVUmaULtbK4fsi9cjJjNn3r5iTsfY5zkm4E', 'SarhKHw13cWgtP0H3KWmgiIMCBfTOpF3IrJB2E99LRWcrq6JEKUwcJkmd6f2ww2WNAYglhZi4hmyB9SY', 'MxVwAF0eql5skfC77bwD5zYdBCylZBburbcgzGUOXir4alwX0NftAWcK38c90WrqYAlRp3PuUhPIgCOF', 'KKa07NLsmDpTsxajQ6Y8mLS0LcywJrzG0DX7zNLZ5nX4h0X234MQaiNTUmBxzee2m0Ndto4SJGZ4OJ4g', 'LCHTqglxmez1QAB3P08zS62lz8vOiSHpCyYRmZJnR4Bhc6BE16RiJ92ZVqYX43p0vhkeCUW1zZXD7fVU', 'GeQpkCq1V1er8Y0stflKKXqO4ywSCBCIIrsMie2gvnlQFtMtB4h4op0Xv8B0WkA5uaauQEON0koToNS4', 'Y38kNVzfWDKYks466lSDuLVTnGX9UPc5K0iucKQzESIIerjegKgKCLpQz1cF0NNRvWed8aj0wpjQOA4Y', 'JXnWiLyl8Wssr5AF2abVNGjE6yUO2l3urSLeYJ2MG77zylPnOLMDeqBhnK6mqtCNX9GGpN1ixT8Y6Lta', 'yLWZd6sMz8szo9fWvPSsiKiRNiaEq6MPoyT5n3xnZL9r4GCluJiGV115GI9jc2086Pp5sfw6Gp1twhK1'

Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Google Chrome.exe.0.dr, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Google Chrome.exe.0.dr, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@36/35@3/1

Source: C:\Users\user\Desktop\X.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Mutant created: \Sessions\1\BaseNamedObjects\nk4GrQt4g7tiU7a0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Users\user\Desktop\X.exe	Mutant created: \Sessions\1\BaseNamedObjects\gYH9wmx6Oq2bUbIgm
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Mutant created: \Sessions\1\BaseNamedObjects\WR2rJvQsDgMo0fED
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Users\user\Desktop\X.exe

File created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe

Jump to behavior

Source: C:\Users\user\Desktop\X.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "

Source: X.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: X.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\X.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\X.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: X.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\X.exe "C:\Users\user\Desktop\X.exe"
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe"
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user\AppData\Local\Temp\Windows Defender.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user\AppData\Local\Temp\Windows Defender.exe"
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe"
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user\AppData\Local\Temp\Google Chrome.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user\AppData\Local\Temp\Google Chrome.exe"
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe"			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe"			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001

Source: C:\Users\user\Desktop\X.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\X.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\X.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: X.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: X.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: X.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: X.exe

Static file information: File size 10559488 > 1048576

Source: X.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xa11800

Source: X.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.CZPe3SyONWjc5hj7Zt6pMdbenXpaXikMlYpqDKafLkOms,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.zZKdF8cP7z9HFwFLRzzYTFQciU5MLuHHC6ENIjMkVQdXq,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.uwhBvO1fbcTMCs5cpy4a3GxWkUK9nOFUAjU5tbLzxc4Nm,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad._5u2o12FB2HiDfSgNUYqkFFRVaw4aYHm8E3UpGOPhPKmwt,lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.zhcMYZF0QInpk1kT5sx0pNbXx64NrJThadiT87lCJABNsLFSAdhLLgBrOIoBM5pw3c3TJwachr4ojYs0LVrQgMiixm9P0n()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2],lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.LytLH5HEpuu4OIZ4MZsfCpCesChmU0ZjVIJ8b1hISUzFK3SckjwTfifsxmOb9YgG9vGxixmqOMdF76qpemglcmyKbAAsfo(Convert.FromBase64String(kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.OITGxfhOK68wJPCo6MtHnrlyVHyKORMPliv7ZiqCMHvzYgOkhkXsK0u8OhLgWYy0dP1KoF40Axe61GDe1t57jVm5,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._1ANXilRELSzhTddVibajQmsL6R65eHUmCCMQnnut9R9rgwYD1NjmN73hamUw91d2kZAOj5XKmA78nAeFJmPC8jmc,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._8iftPdZwa8calZ1nwsss8I1uH4v7BY6jA7ZD9hiYFnGqGZorMhCHdEamQX3IBVvF1FMWs5O7YpqBbChOltJ4KRaS,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.wESkSQlk2LTmddktYdbZYhIdpL53tC64r4K1fVruIFfyKcMGP1t2FBlv4Dk81tyYqH01deeRtH84HaYYKAIraLGI,_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.bL5SxUEmaU0P2D5c7IW69D34YGlObRx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2],_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.AkxQRAUaBbQFqzLtkFyQDuFOWyk5dLd(Convert.FromBase64String(y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.OITGxfhOK68wJPCo6MtHnrlyVHyKORMPliv7ZiqCMHvzYgOkhkXsK0u8OhLgWYy0dP1KoF40Axe61GDe1t57jVm5,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._1ANXilRELSzhTddVibajQmsL6R65eHUmCCMQnnut9R9rgwYD1NjmN73hamUw91d2kZAOj5XKmA78nAeFJmPC8jmc,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._8iftPdZwa8calZ1nwsss8I1uH4v7BY6jA7ZD9hiYFnGqGZorMhCHdEamQX3IBVvF1FMWs5O7YpqBbChOltJ4KRaS,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.wESkSQlk2LTmddktYdbZYhIdpL53tC64r4K1fVruIFfyKcMGP1t2FBlv4Dk81tyYqH01deeRtH84HaYYKAIraLGI,_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.bL5SxUEmaU0P2D5c7IW69D34YGlObRx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2],_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.AkxQRAUaBbQFqzLtkFyQDuFOWyk5dLd(Convert.FromBase64String(y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2] }}, (string[])null, (Type[])null, (bool[])null, true)

Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	.Net Code: btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac System.AppDomain.Load(byte[])
Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP System.AppDomain.Load(byte[])
Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7 System.AppDomain.Load(byte[])
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk System.AppDomain.Load(byte[])
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7 System.AppDomain.Load(byte[])
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk System.AppDomain.Load(byte[])
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk

Source: X.exe, 00000000.00000000.1358812392.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: X.exe, 00000000.00000000.1358812392.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: jSystem.ComponentModelLateCallProtectorProjectByDrakeLamGZipStreamMemoryStreamProgramSystemToBooleanSystem.ComponentModel.DesignAppDomainget_CurrentDomainGetFileNameWithoutExtensionSystem.IO.CompressionMyApplicationNineRays.Obfuscator.EvaluationSystem.ReflectionExceptionProcessStartInfoDirectoryInfoSleepZYXDNGuarderResourceManagerToIntegerSystem.CodeDom.Compilerget_CurrentUserBitConverterServerComputerMyComputerClearProjectErrorSetProjectErrorGetEnumeratorActivator.ctor.cctordotNetProtectorSystem.DiagnosticsMicrosoft.VisualBasic.DevicesMyWebServicesMicrosoft.VisualBasic.ApplicationServicesSystem.Runtime.InteropServicesMicrosoft.VisualBasic.CompilerServicesSystem.Runtime.CompilerServicesMicrosoft.VisualBasic.MyServicesmqszk.ResourcesSystem.ResourcesExpandEnvironmentVariablesFileAttributesSetAttributesWriteAllBytesStringsEqualsContainsConversionsRuntimeHelpersOperatorsProcessset_ArgumentsExistsConcatConcatenateObjectSubtractObjectGetObjectMyProjectCollectSplitWaitForExitEnvironmentget_CurrentStartConvertinputMoveNext
Source: X.exe	String found in binary or memory: dotNetProtector
Source: X.exe	String found in binary or memory: jSystem.ComponentModelLateCallProtectorProjectByDrakeLamGZipStreamMemoryStreamProgramSystemToBooleanSystem.ComponentModel.DesignAppDomainget_CurrentDomainGetFileNameWithoutExtensionSystem.IO.CompressionMyApplicationNineRays.Obfuscator.EvaluationSystem.ReflectionExceptionProcessStartInfoDirectoryInfoSleepZYXDNGuarderResourceManagerToIntegerSystem.CodeDom.Compilerget_CurrentUserBitConverterServerComputerMyComputerClearProjectErrorSetProjectErrorGetEnumeratorActivator.ctor.cctordotNetProtectorSystem.DiagnosticsMicrosoft.VisualBasic.DevicesMyWebServicesMicrosoft.VisualBasic.ApplicationServicesSystem.Runtime.InteropServicesMicrosoft.VisualBasic.CompilerServicesSystem.Runtime.CompilerServicesMicrosoft.VisualBasic.MyServicesmqszk.ResourcesSystem.ResourcesExpandEnvironmentVariablesFileAttributesSetAttributesWriteAllBytesStringsEqualsContainsConversionsRuntimeHelpersOperatorsProcessset_ArgumentsExistsConcatConcatenateObjectSubtractObjectGetObjectMyProjectCollectSplitWaitForExitEnvironmentget_CurrentStartConvertinputMoveNext

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB67D2A5 pushad ; iretd		2_2_00007FFAAB67D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAB862316 push 8B485F93h; iretd		2_2_00007FFAAB86231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAAB65D2A5 pushad ; iretd		6_2_00007FFAAB65D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAAB77123A push E95CB705h; ret		6_2_00007FFAAB771239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAAB7719F2 pushad ; ret		6_2_00007FFAAB7719F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAAB7711FA push E95CB705h; ret		6_2_00007FFAAB771239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAAB842316 push 8B485F95h; iretd		6_2_00007FFAAB84231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAB67D2A5 pushad ; iretd		9_2_00007FFAAB67D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAB862316 push 8B485F93h; iretd		9_2_00007FFAAB86231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAB867BFC push esp; iretd		9_2_00007FFAAB867BFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB66D2A5 pushad ; iretd		17_2_00007FFAAB66D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB78123A push E95CB605h; ret		17_2_00007FFAAB781239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB7811FA push E95CB605h; ret		17_2_00007FFAAB781239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB850020 push eax; iretd		17_2_00007FFAAB850039
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB8545A0 push eax; iretd		17_2_00007FFAAB8545A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB852316 push 8B485F94h; iretd		17_2_00007FFAAB85231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFAAB68D2A5 pushad ; iretd		20_2_00007FFAAB68D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFAAB872316 push 8B485F92h; iretd		20_2_00007FFAAB87231B

Source: Windows Defender.exe.0.dr, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.cs	High entropy of concatenated method names: 'Rute6Q5WfZvWUrj7yB49O777GXEBlczDv32ghc0AuKl7Eq7f8AlSx1K9UCYrTt8Enkzd00PAsgvJ2GaG', 'vqoXLxMurja5P63uVjV19ePPqazR47SDPa4UttMMpdIMsmJvdOHzWCZvJ5ssFQQrrO5l8H1Beh9lbFzh', 'btUmetsTApatkGtIV7Ar85mhuWhty6TScMcbnp4Bc0EWVLzoXJ3MXttQG85E0Mw6r08Bg0gK7F0sIPyW', '_9ilAP0cixqahHu4GEVeQDwOxsqe8x1q8PisWnM9J5eCC4xT42SCNWJE9AfMDBxZUoBnkzXZowCDwicnO'
Source: Windows Defender.exe.0.dr, zkQvGS0CbJWVNQzX5NTER9jKP2wULDi4d7anVMwHXLqxt2Tfv4P79Ovl8LhrrbpRTAHRggLj6diBqOcOOQp4tkjEnPEJC5.cs	High entropy of concatenated method names: 'Cf727bOR7tmg52RUOBjzXXW07BvwwusAZeXWQUbfS5TSAxiVeQ85Di2K7cjskToFklKtP27kh7hRErq6t1aiZtwj317DKD', 'b6Gpmr1a6DLZ0iQe5PQiXjfDgwJTVCs85bzz2miyfWUF6ZRelk5mmW9pV8b6qnqAbqQSpFjHJARDeNsHMmmBH7GM7x1Ilf', 'WWYaGiEOPbQrDeeuEOh96p36J4l3CXXUW6My42JCfgnmJ6ldEdCgyPyaIEYUIAEqZMQw3SqhV3VmScsgVvnifDENPzrzDv', 'KCHtc1PRa2W2WF8Vo67k5A', 'CS2hsHRh3siCbOd6p2HOda', 'dhPyQmjAH02BwSBgb7Jf05', 'WuvOV43onvRsDtNiqMWHAw', 'AS5Nn37UDDwO0zKIdLK7gm', '_8ULcALNWa2tKQ9ZwieNluI', 'SfeiZ7WsOxTSvCI8uMI0Yg'
Source: Windows Defender.exe.0.dr, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'YmUEfhQ1wTKDpAXx46A1o8Y4mpSM8r8oub0Z3xgEFg0lflxzLtSWQERHpbJScMon62EuS6s6DzKpi6Aj', '_8MfTblSGLO5n0mPc2nYdMQazaJLOrXt8NQio3PmBFNSKJNDpmDTjlXe9cJu1ibS9aU6N3niIM31qbgcA', 'zWsNhrmhwGpSQ1GT2yTf9YGIqdLugqch40onIwOyzOpbNEyMsCvbLqqNFzlBLkDJ1Ka7ndeUe0ANFikU', '_4KVsAkI14lbomkIoEVolZ3Zo6TGPNmp4s0gPSV0l7Q69pLOjmMCh9WkVERgOXOnH3ZUsqTnHHwIR4rpf'
Source: Windows Defender.exe.0.dr, OVvRXAYaO1Zt4j8kRspWu8Dluwd0T5ynfiFpuFFu9oL9Wutux2n6Kdfpe6PdXD.cs	High entropy of concatenated method names: 'zcPak2Bsyo8wccw7Uv3aiI37yZoliDHgleuyqwETbHQd9J045tXgkI1qlfitR4', 'LnxexLOzfmbgG7jq6maRN0QA2p2CJP8ZygHiQlLb0ppaU1fT6IN7dd1yiuDkNp', 'gJIgi2FPNaDPC4EwzsGhiY2sPhtac76AsL8impk1XIcnVzR3rnRj2XSflBROJV', '_2O1IobNQiQ8Wc5XwYvjcpyDnrG3KHW0JmvtivyJALruWtIj4LGn1tKeO3USg5x', 'H0llgP1zOdBZtDAtdx1Cxk', 'UqFolkiLKQ4JbhehxP1bzt', '_03EZcOibVWwuyQFiTqnT2s', 'G3MI0QwFp4pni6N39enaXd', 'U4z45H2vtb9BFwqlN6lVxF', 'Q6Jls5twNnDmWl4vgIiSbi'
Source: Windows Defender.exe.0.dr, jx9GZsYLetM8ozl7eeSUYzaQ9rVm6zahKbBJECPrIV9xeRXsM4ZcUAK0g1ype5.cs	High entropy of concatenated method names: 'StyaJjuBncIt9ThkoYTkgJYT4G2PSxngq1OvYXUuUTWkPMCl9dnBCYNLuV56Ae', '_1givnKGlzrQZPv9YZ5KOBN', 'FXCw5u2JpZHzFj705RvUW0', 'ZjqJdWqvnSaB93WE34qu6a', 'wksOBjUK8cAPfmooAuQO2D'
Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.cs	High entropy of concatenated method names: 'DAd6MY6WE4amuhxrr4rf7HcKOjmPHzihO08yso7tjrHGipjdfQJGte2kNfYt1A', 'EEG2usG8WiBmb3SmuxCcnsQ3osy3y3GDWYkPji0Al1v1JWS0sQRz09IittLfuX', 'QcKEpexPmpox3XOwz4Bl7riUjiPtDwWUxZWYZQtYskm3cKI0ruZMF5g8k670ow', 'WZ7ktBjfrsh68udUUPkZrVhR4WMHREcWaGCfr20GIw65JCQmUgxeG5HrXJmZkf', 'eORZ7fjqhZzG3pzpIn4alL1aoCtIhWEKGQF2JVYzoSGJgi5OzYLKqqSJ1HmMG7', '_553psPh1t5SncNT6ckbKASBJC8uq3fDBHTJIabfU3j1zKoozq4Ci7UzzSCmJtI', 'SyFv2P5XoehdJnT219CeBvc978z1Ho9JrjfROxl1zcFauUtGBjZQ1P8EaFitC0', 'HJO9Xmz1UIQBlQ0JBoV3uUz1irYdtjXjyH0WW2hMdPtDQWgMpG6xP3YF0EoIsD', 'mWcZIDE7MfG3T6MrBrPQiHWeMnLjdXzRv8PqZkTfI3o1E85R1ZFEtHbb8QiUL4', 'hXogqRoM3BqP35AogVfb4qDe4JHRqCjxysRympSYAy0C5Saj7YkhHXjHU0FZYg'
Source: Windows Defender.exe.0.dr, WqBFPPAGdP3qekKnUXbSbMnJQkYEWq6EDn6c9pYZqk7IrAascLDqgnmAgB4ND2.cs	High entropy of concatenated method names: '_2YF2CRCsDxdnPdsPBchoEhwDZKc2AXV8hIOv01TvH6OQlY4T1VOIp7Tkpf2sST', 'izfsM6M5EJ9022yy2GhiMa4Bwnc097KT7AhqxNHBKX7zq8jK6gCmwgw3KdQKda', 'Ux2rE57wFUIxDfwqfnBFCGFSB0GjwBtVP29hwIjLDU1S9quzDBNA22Lay2S0JK', '_43Lx3rAdBh2j4nWOx656HHtCbrZ1PdRnus0reiTUGQoGpicRD8iPa9pXSiZJOc', 'Z13RptwCW6XMeTAkZkkKdm9kNxgi9iKJlLM8IF79bjsu2BhrUZT1siGtlJ4BwO', '_6Q2P9IWxjqddZPGIaZe7mUWnyZmJKvHhjKz91sMVMlcYij9rq4vXtUogf7WrHl', 'X68ePNrQwDbQ8uqQNDHJSitBmeJXe2Q49tAB0TGy72VGUASLGdoz4QZzKHzrgS', '_4VLeHC1i6LkyVH2oQRjg5pHqg89lv7hXZdrnn3ceAR7VmVTgNPZTSsprslXefR', 'nm0e3gZXlCPxo4CZhSxRNAuslaHN5n2q5GASCv78CCyarQHpdJprQ9neptRq0e', 'Vmyuxdcefk6376V9aadd6WNzN74pa5hWPfAoVWk8dTKIrHIFiZGcxW4mxtNlkc'
Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs	High entropy of concatenated method names: 'JoRZgwYRrib0pzhpbwWuCtzXsDVKwaWx5tO0u2n7d2Cz2N5q28xKD8Fwiqx4STiG0XvtWrH2LhOU1', 'btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac', 'ugnFlO8xTqB6vzX4WBwVisSRqh5O5nGNDs3hF8G8QzWX8KfWJpJ6ZFoFuLNjzXlAL7ehRPDMozBR1', 'b7N61fbBnHn379Cg8KG40J7wXB15pCeuevw12h2z463IzZDO9oFoHQcxWRzgKeg6Sj8hhRpGhSOaK', 'KElHQzROcJDUxi5j7UiI8pcLCBOq32DagRpElG4rBN4kpdWNsJamX8yMLUkIqoTrKuS2oYHzR29fo', 'zJENyi6rDFsfvR2PuqsNpRvB0DB3RMi6deOtdOSMdhaBI7Iwv18yYOQSgB3RrlSmWhJHq0PDGfQem', 'enY8qBECWHWHiOg0sJlf5zeZ6a6HQ7dtubz2ewvOScb8ZuTBjUEMAMVrwY29V6ThmbdmOlKDjip5V', 'ndjhIoTbd7FTL4aAH7NOjBb6yoQNNVPtuVkyYeqawMbmsbxyqaY7WBC8lEQ8sWtPZROnieYwkS8CT', '_7qlab1dNPzWfuJE6nU9nYteKoAIV5Hl3bR2emlAtQmjm4Q33fpzxH7Vob9GFwcoBiQsdKh7FcPx7r', 'om2e3sWjhmFSXj6ueB3p2lrHh3loqJI3Ln3FYvLU8zxsAizAWP1FAwqU5fQLtWJ1Fp4gz7atHLzFy'
Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.cs	High entropy of concatenated method names: '_36Iu8s60bxeFR4yMJVHnKU3HH5G0XdCkYGRvNxeusm2xRkTCirth7MIl3bEYMLRwcgVbXbYXWzRJj', 'faomJDQTH9JfrQdsdIlJKfaYbhf3qszNtTnzmUj4976tVVM5Y09H9aNvYFx3TnCXKgLYGVS0lMNLU', 'rkDeZ2n9YEpjTXkJxDoMHTqWF5YQd0ylDMfuTpp5s3RqbkwPhJeNuKgSA415fXhpW68YBHy6Ymcge', 'bHYmEjJ7sdLajo2keOL4u3oa4NrZ9hWJZht8YVkxC2ecvLJErDhtjiRJpCyxpalQXR3elrvDqcgLe', 'ln6UL6yiXM4T1Pr6d3btbvrjL9SoiNilXgU9dDYgetX8ow3FRkWwlwOEaLaToOsql87Je9Y4zZPkt', 'dqW1HlDiGOIQY2sX2VquBfHHMmw6Iu3xtqqcvf3AoUZDJwuOrWVbqgy1qwESKzJ2lJZ3aU0tw6J6C', 'no09akK38j3bIvQNA4Wdv7ufwBUbJ93yyNZghYNkS4ACJlXfxQjAzpXfgczhJ5ArkYZ6gwbvXjSNB', 'EBzFOEVL98ZjzRwTm8lKAdFIiSXYqMGmzGaBjdj0VkZIpSt5tG7a3tBb7LUAIMT7ainpEqxxZMwJ0', '_6EjaJhzY4Gaveg0ui8NYtJg97g738DxWHUEsjKOSVPIJNkk7ze8aJ00bLYqNIMYIkiaqs2WYsOwPU', '_5bUJBXaOgvlMv64mzSubcFb8PqbAGAT8inlazolutMv5ocpXlyla3VzKWXSfp1pZCpEzynoqnlhjb'
Source: Windows Defender.exe.0.dr, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.cs	High entropy of concatenated method names: 'WwjisSxxDCIbYcd4Y4UsqmXSlLzy6oLoIqOCTMWAInrkF', 'bBheXXcZoHVHxH3bBwr4aiknrJ30F2bql9MOkfWOgWaTq', 'Zdz9Y1bCXi8V72fSYkM8d7sniuRdX542x8pAEt3CeMF9j', 'yXMXIg1VptpW8byLQs5HSkP1TA0h1hAEQiHbQSes2bmcp', 'I2YmHmS08pAbFmzOSBH8Y9cTmI9CWatYj4soluOsJsGYz', 'LVuZSiiDv5SFtOV7OLqTzSGpKYqkYtH4XZd8ll22xBt6P', 'D6tgcK1HEP2IGjUVuhog1CaWcVSXFyYs8oDUuBWgoKCPK', '_32gxo0e19sbzb3vOpQ77zPrQGLg0R87ydpGd041Mfbvm8', 'WZylfD2CEeMMaIvgBNUQv7gc2RbHrrLbHNWRRmPYb6aSw', 'lZyYSscCiEU4lOIVItSVV7ZuAnLoEt96sL8470xdo95Jf'
Source: Windows Defender.exe.0.dr, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.cs	High entropy of concatenated method names: 'uAIdma4NR8QqGZMhHTp2pkwIUASRT1s5TCCMoALNGGqZUcAQgjPmEfsnMYfpcU', 'E8guj0wkTXSDi5PFQB7VFk', '_2BlW37vOQ5lBjwqupApYeu', 'O3m6VbhYCCdK6SVfSdZECU', '_46xAuc1Pk0nvKAyw2iwSns'
Source: Google Chrome.exe.0.dr, jrpcTEvwrHLqRyJr.cs	High entropy of concatenated method names: 'n6zY7SAVCFHSUas0', '_5u90BQKmyRZ1eHyk', '_4ayTVWlBE9zPll85', 'v0TUPDCgCertO9ISBLj6Ks5ySm6sXd2gqmjV6C0QA1xeZnAk', 'XX9gKT0BQjmjplVu8C2b36iW2oCp1Ec9r24dBqV8rtgoH1Gc', 'c1fcVHBM1Z2NZ5nEZm97YsCRoSI1Yl0RuoWo7bAjjpTMkOce', 'pVbnbXkSrLua0mWOAd5y9PZASCo6xbf6QYuvIe30J98rhPB5', 'sfJ1PnqihDg0YYH5j6cBfhvGOaM1DyRCLQZ7sJZvEgApEXy0', '_7sJXJem4fx1wNk8WdJJCtSnCTD7u5DRm6zGvVXzLoh8LyuhF', 'VJlh2FAsAuXJq9USNTjYzUlFGlrmJLLxkbMTl6SgVoJWVZDn'
Source: Google Chrome.exe.0.dr, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.cs	High entropy of concatenated method names: 'NRNaQiL45HdvDE12rlpjtHiVgewI5IY', 'oayXCFlyxRcNG8Jh2Pkem7iiL5yjIc6', '_8BbbEBAIVhrTrngXfKYzb0vuRgPJ8I9', 'gOOq3tqQTNIc3fpOeAIJvqFdGQC1N9n', 'i2Ku7FUOqzNLdb87n6XtsO8BCKeCGef', 'rTNybMCNvpLU1mzBmG8SUeZg3muzZgK', 'AtWHzfMZG1pMlUty0vIk3qVlWsuIQva', '_0SJ9Qp1ltJir7yTsoFhX5NkSSJhHOqH', '_1D1W9pj644gjadQUV2xD2YcS1Na9oU0', '_3TPmxJhS9o1EWhxsomNZ3B8jWNcoZ5G'
Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	High entropy of concatenated method names: '_8RdgBs8hsKc1Xchvn2E27CgOkhSFoyV', 'f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7', '_3jnBuRACGTClEVxVYkJcOgKRMf2592k', 'vylxe4g5k8nkkpbiZ6y9Scim0TIMlFk', 'QBsxGonALOQAUKA40rzlOyGY8fA6U1L', 'aVIrdjG2tf77GFHFxxrwjfZxRz5lCsm', 'uy0K927WZFwasL8hGin2hAyR9cQhS7X', 'g7BCflj5inLC0crvdd0pYUG7vWl38py', 'TnL1QraWSY95QDURwJ1lmSgxHwqLtSl', 'ogiNgCdZm7pmO643ea2GYmasMz19ncO'
Source: Google Chrome.exe.0.dr, w7ZIRjsvip4MF5xGsbBND80ojJ4dh5g.cs	High entropy of concatenated method names: 'Nx3F4Pq2rRNYc17giIIqq6grtK5HPJk', 'egW94Lk6guFqcb6HsOVrS1htfU7FJWB', 'h96VMbfQPnTKAdEPxf6pZMcTkXLJs6F', '_2lP6glD6EWETGQ5TMMMZC7OikS6mWmq', 'IV1Y2etqJljurSX3', 'houvz32a6Zl2mEXe', 'nSiO4tePrjSotMCz', '_6tvowFv9nogysn4q', 'ptmHhgcMISltGkT0', 'wrdSv0ILtECCEtJw'
Source: Google Chrome.exe.0.dr, 95IUXxLlqJejB12ZmlfVehHxTvY7hK7.cs	High entropy of concatenated method names: 'zO97l4bWsDYwEuC13Dh97PM8zPZVp2v', 'Dncea824rrtH3UkejCOtVMU4U9EZ6py', 'gm2byZWLfUE2kN5qzvM2v9bxYezko9d', 's19zmkrFCyjLRvvVKnCHrqb1AbJ2N8b', 'mxrLPLumYLJ8agiCeHFPXLD6Ji0d9J3', 'UhhkkC8ORQA2Byyil5KrSpk3uFLQ5sE', 'c3HVHtQR0OdVZZZptKkxfTMGFT1jrGc', 'L1iOuf0jbeIAVdorxYggkHQfAei9qfA', 'zjozaRMGIZQYLYnN4qTuafvEDtYVlTV', '_5wYe5ENJX5mkytI5AxE8kpKOe6RhNCO'
Source: Google Chrome.exe.0.dr, 1I2uDx72OuHy9A5f6b5YLHuDm6qHQgA.cs	High entropy of concatenated method names: 'hOlh9c922Gl5MoIZrC2CmOOfVnNbtlB', 'AgraGoSCMLEfiC0UJZeNawIitt4s2hk', 'MgtORkUENm79TnfisYEyYkUfxyL4jKZ', '_9G1vtUTHvRJYDfKeddJp0RzObOxrUhJ', 'oUorYDfFYsMd9dsRsZ5riV1WPnreL6V', 'lVHGLL8xKlS1OanFMALVDAkh0AFYs90', '_9wgi8v7FCwFLxwWaGzti7rsGMZqxTpO', '_9xG1VuffErxxW83pWzFHDrXS7D2fgOF', 'MjK2VGXEkI3oS4FZjPlPH7rBlKzZFSd', 'ys5YHLn03jNcqndQKYYWOunHKBcRCc0'
Source: Google Chrome.exe.0.dr, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.cs	High entropy of concatenated method names: 'ZY9ToOBPVEn15PRC6rbgQuqq9VXVVBE', 'va4uJ0eKytu4E2I8ZuaNh3pz2g8l8mQ', 'Spwr39kyR3vbMuWeh5EzqsQIkNICorr', 'QnD41hgm5idFCYVehTMR35VCWeWc6Wf', 'nyD2eb9EKCEb7XgB9l6QXFf6kwDo4kS', 'LTa90cdtGsRM5kIeC9iN55dXZdw8KKL', 'kiQ43LuThWeojuzbQ0ZsJTfuz2ifoMf', 'EG7GkGmbX7KDDZStQAWeI3g3zBXKfyj', 'NAgkei94MYNFuWUCVNX6t6kKhN4HACp', 'j9ev6vQA6vSMcrgBdjVDhZlT7B9BF30'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, jrpcTEvwrHLqRyJr.cs	High entropy of concatenated method names: 'n6zY7SAVCFHSUas0', '_5u90BQKmyRZ1eHyk', '_4ayTVWlBE9zPll85', 'v0TUPDCgCertO9ISBLj6Ks5ySm6sXd2gqmjV6C0QA1xeZnAk', 'XX9gKT0BQjmjplVu8C2b36iW2oCp1Ec9r24dBqV8rtgoH1Gc', 'c1fcVHBM1Z2NZ5nEZm97YsCRoSI1Yl0RuoWo7bAjjpTMkOce', 'pVbnbXkSrLua0mWOAd5y9PZASCo6xbf6QYuvIe30J98rhPB5', 'sfJ1PnqihDg0YYH5j6cBfhvGOaM1DyRCLQZ7sJZvEgApEXy0', '_7sJXJem4fx1wNk8WdJJCtSnCTD7u5DRm6zGvVXzLoh8LyuhF', 'VJlh2FAsAuXJq9USNTjYzUlFGlrmJLLxkbMTl6SgVoJWVZDn'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.cs	High entropy of concatenated method names: 'NRNaQiL45HdvDE12rlpjtHiVgewI5IY', 'oayXCFlyxRcNG8Jh2Pkem7iiL5yjIc6', '_8BbbEBAIVhrTrngXfKYzb0vuRgPJ8I9', 'gOOq3tqQTNIc3fpOeAIJvqFdGQC1N9n', 'i2Ku7FUOqzNLdb87n6XtsO8BCKeCGef', 'rTNybMCNvpLU1mzBmG8SUeZg3muzZgK', 'AtWHzfMZG1pMlUty0vIk3qVlWsuIQva', '_0SJ9Qp1ltJir7yTsoFhX5NkSSJhHOqH', '_1D1W9pj644gjadQUV2xD2YcS1Na9oU0', '_3TPmxJhS9o1EWhxsomNZ3B8jWNcoZ5G'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs	High entropy of concatenated method names: '_8RdgBs8hsKc1Xchvn2E27CgOkhSFoyV', 'f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7', '_3jnBuRACGTClEVxVYkJcOgKRMf2592k', 'vylxe4g5k8nkkpbiZ6y9Scim0TIMlFk', 'QBsxGonALOQAUKA40rzlOyGY8fA6U1L', 'aVIrdjG2tf77GFHFxxrwjfZxRz5lCsm', 'uy0K927WZFwasL8hGin2hAyR9cQhS7X', 'g7BCflj5inLC0crvdd0pYUG7vWl38py', 'TnL1QraWSY95QDURwJ1lmSgxHwqLtSl', 'ogiNgCdZm7pmO643ea2GYmasMz19ncO'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, w7ZIRjsvip4MF5xGsbBND80ojJ4dh5g.cs	High entropy of concatenated method names: 'Nx3F4Pq2rRNYc17giIIqq6grtK5HPJk', 'egW94Lk6guFqcb6HsOVrS1htfU7FJWB', 'h96VMbfQPnTKAdEPxf6pZMcTkXLJs6F', '_2lP6glD6EWETGQ5TMMMZC7OikS6mWmq', 'IV1Y2etqJljurSX3', 'houvz32a6Zl2mEXe', 'nSiO4tePrjSotMCz', '_6tvowFv9nogysn4q', 'ptmHhgcMISltGkT0', 'wrdSv0ILtECCEtJw'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 95IUXxLlqJejB12ZmlfVehHxTvY7hK7.cs	High entropy of concatenated method names: 'zO97l4bWsDYwEuC13Dh97PM8zPZVp2v', 'Dncea824rrtH3UkejCOtVMU4U9EZ6py', 'gm2byZWLfUE2kN5qzvM2v9bxYezko9d', 's19zmkrFCyjLRvvVKnCHrqb1AbJ2N8b', 'mxrLPLumYLJ8agiCeHFPXLD6Ji0d9J3', 'UhhkkC8ORQA2Byyil5KrSpk3uFLQ5sE', 'c3HVHtQR0OdVZZZptKkxfTMGFT1jrGc', 'L1iOuf0jbeIAVdorxYggkHQfAei9qfA', 'zjozaRMGIZQYLYnN4qTuafvEDtYVlTV', '_5wYe5ENJX5mkytI5AxE8kpKOe6RhNCO'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 1I2uDx72OuHy9A5f6b5YLHuDm6qHQgA.cs	High entropy of concatenated method names: 'hOlh9c922Gl5MoIZrC2CmOOfVnNbtlB', 'AgraGoSCMLEfiC0UJZeNawIitt4s2hk', 'MgtORkUENm79TnfisYEyYkUfxyL4jKZ', '_9G1vtUTHvRJYDfKeddJp0RzObOxrUhJ', 'oUorYDfFYsMd9dsRsZ5riV1WPnreL6V', 'lVHGLL8xKlS1OanFMALVDAkh0AFYs90', '_9wgi8v7FCwFLxwWaGzti7rsGMZqxTpO', '_9xG1VuffErxxW83pWzFHDrXS7D2fgOF', 'MjK2VGXEkI3oS4FZjPlPH7rBlKzZFSd', 'ys5YHLn03jNcqndQKYYWOunHKBcRCc0'
Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.cs	High entropy of concatenated method names: 'ZY9ToOBPVEn15PRC6rbgQuqq9VXVVBE', 'va4uJ0eKytu4E2I8ZuaNh3pz2g8l8mQ', 'Spwr39kyR3vbMuWeh5EzqsQIkNICorr', 'QnD41hgm5idFCYVehTMR35VCWeWc6Wf', 'nyD2eb9EKCEb7XgB9l6QXFf6kwDo4kS', 'LTa90cdtGsRM5kIeC9iN55dXZdw8KKL', 'kiQ43LuThWeojuzbQ0ZsJTfuz2ifoMf', 'EG7GkGmbX7KDDZStQAWeI3g3zBXKfyj', 'NAgkei94MYNFuWUCVNX6t6kKhN4HACp', 'j9ev6vQA6vSMcrgBdjVDhZlT7B9BF30'

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\X.exe	File created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe			Jump to dropped file
Source: C:\Users\user\Desktop\X.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google Chrome			Jump to behavior

Source: C:\Users\user\Desktop\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google Chrome			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google Chrome			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Windows Defender.exe, 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, Windows Defender.exe.0.dr	Binary or memory string: SBIEDLL.DLL
Source: X.exe, 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, Google Chrome.exe, 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, Google Chrome.exe.0.dr	Binary or memory string: SBIEDLL.DLL!JNIMQCKOED45DYFT!IAM0ALKDJV0MYMDL!NOJWIPYBQPULQVZX!GTHCXSPLOYJGMMWS!U3KBXZGSFAQWGJLH!VTFJEYIGIKXYFUP8!GIGCCSAGVAK9C4YO!QIBI2FXSGTAAGMKI!MNHKSXYNHIQU6EPF!MDQRLNDNNYD8JUAU!WVCSNOTCYEFGUQPY!DILHNZWKHYCAURAI!Y8SFBAVEXAHTZUTJ!QGJ8CDBC5CGS6HBMINFO

Source: C:\Users\user\Desktop\X.exe	Memory allocated: 1360000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Memory allocated: 1C0F0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Memory allocated: 6B0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Memory allocated: 1A4B0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Memory allocated: F20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Memory allocated: 1A9D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Memory allocated: 14E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Memory allocated: 1B150000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Memory allocated: F10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Memory allocated: 1A7B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Memory allocated: BE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Memory allocated: 1A810000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Memory allocated: 2960000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Memory allocated: 1AAD0000 memory reserve | memory write watch

Source: C:\Users\user\Desktop\X.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5156			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4635			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7887			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1816			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6045			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1859			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6839
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7320
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2331
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8112
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7761
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1896

Source: C:\Users\user\Desktop\X.exe TID: 4048	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848	Thread sleep count: 7887 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2040	Thread sleep count: 1816 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep count: 6045 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6792	Thread sleep count: 1859 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4116	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe TID: 5456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe TID: 3020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584	Thread sleep count: 7320 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140	Thread sleep count: 2331 > 30
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe TID: 5132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 8112 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep count: 1212 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 568	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep count: 7761 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 1896 > 30

Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\X.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Google Chrome.exe.0.dr

Binary or memory string: vmware

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process queried: DebugPort

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\X.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'

Source: C:\Users\user\Desktop\X.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'

Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe"			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe"			Jump to behavior
Source: C:\Users\user\Desktop\X.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\X.exe	Queries volume information: C:\Users\user\Desktop\X.exe VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender.exe VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Google Chrome.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Google Chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Google Chrome.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Desktop\X.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Defender.exe PID: 2548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Google Chrome.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Defender.exe PID: 2548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Google Chrome.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED