Windows Analysis Report
OXhiMvksgM.exe

Overview

General Information

Sample name:	OXhiMvksgM.exe renamed because original name is a hash value
Original sample name:	30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c.exe
Analysis ID:	1557206
MD5:	651429675c1d86cf068746159aa66b6d
SHA1:	aad51d3448cb1e9f337a985ed840a0064d5699ee
SHA256:	30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OXhiMvksgM.exe

Avira: detected

Antivirus detection for URL or domain

Source: activities-mustang.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\X.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\X.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["activities-mustang.gl.at.ply.gg"], "Port": 54756, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\X.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\X.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: OXhiMvksgM.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\X.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\X.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OXhiMvksgM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: activities-mustang.gl.at.ply.gg
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: 54756
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: <123456789>
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: <Xwormmm>
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: OXhiMvksgM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OXhiMvksgM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\X.PDBrces source: X.exe, 00000002.00000002.3318294673.000000001B87C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC4Qo$ source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbPJ7n% source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbZO source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbh source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb` source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp, WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbM source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbE source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER635D.tmp.dmp.18.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49995 -> 147.185.221.22:54756

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: activities-mustang.gl.at.ply.gg

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49899 -> 147.185.221.22:54756

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.22 147.185.221.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: activities-mustang.gl.at.ply.gg

Source: powershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: X.exe, 00000002.00000002.3289710637.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2508262262.000002B277C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cou
Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\X.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Code function: 0_2_00007FFD34890A21	0_2_00007FFD34890A21
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B8CE6	2_2_00007FFD348B8CE6
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B2E99	2_2_00007FFD348B2E99
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B9A92	2_2_00007FFD348B9A92
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B1659	2_2_00007FFD348B1659
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B2F43	2_2_00007FFD348B2F43
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B388D	2_2_00007FFD348B388D
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B449F	2_2_00007FFD348B449F
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B1E1D	2_2_00007FFD348B1E1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3488B9FA	3_2_00007FFD3488B9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34888E2C	3_2_00007FFD34888E2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3488BAFB	3_2_00007FFD3488BAFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3488BC4A	3_2_00007FFD3488BC4A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34882785	3_2_00007FFD34882785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348C34FD	6_2_00007FFD348C34FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348C35FA	6_2_00007FFD348C35FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348C5BF2	6_2_00007FFD348C5BF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD34898503	11_2_00007FFD34898503
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD34898E05	11_2_00007FFD34898E05
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 14_2_00007FFD348A1659	14_2_00007FFD348A1659
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 14_2_00007FFD348A1E1D	14_2_00007FFD348A1E1D
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 15_2_00007FFD34881659	15_2_00007FFD34881659
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 15_2_00007FFD34881E1D	15_2_00007FFD34881E1D

One or more processes crash

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100

Sample file is different than original file name gathered from version info

Source: OXhiMvksgM.exe, 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameX.exe4 vs OXhiMvksgM.exe
Source: OXhiMvksgM.exe	Binary or memory string: OriginalFilenameXBinderOutput.exe4 vs OXhiMvksgM.exe

Uses 32bit PE files

Source: OXhiMvksgM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: OXhiMvksgM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OXhiMvksgM.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9908987576844263

Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: X.exe.0.dr, 9M4B1GrUSVl6ZkgZecK5.cs	Base64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Base64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Base64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 9M4B1GrUSVl6ZkgZecK5.cs	Base64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Base64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Base64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
Source: X.exe.2.dr, 9M4B1GrUSVl6ZkgZecK5.cs	Base64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Base64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Base64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'

Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: WER635D.tmp.dmp.18.dr	Binary string: \|\Device\Harddis
Source: WER635D.tmp.dmp.18.dr	Binary string: \|\Device\Harddis00330-7177086-AAOEMddiskVolume3C:\Windows\system32C:11904

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/24@1/1

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OXhiMvksgM.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\X.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Mutant created: \Sessions\1\BaseNamedObjects\X7Sbr9oc27SibDBmH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6852:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\X.exe	Mutant created: \Sessions\1\BaseNamedObjects\I76LbgASVOnu6K26

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File created: C:\Users\user\AppData\Local\Temp\X.exe

Jump to behavior

Source: OXhiMvksgM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OXhiMvksgM.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OXhiMvksgM.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\OXhiMvksgM.exe "C:\Users\user\Desktop\OXhiMvksgM.exe"
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 2088
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'	Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: X.lnk.2.dr

LNK file: ..\..\..\..\..\X.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OXhiMvksgM.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OXhiMvksgM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\X.PDBrces source: X.exe, 00000002.00000002.3318294673.000000001B87C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC4Qo$ source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbPJ7n% source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbZO source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbh source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb` source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp, WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbM source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbE source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER635D.tmp.dmp.18.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Code function: 0_2_00007FFD348900BD pushad ; iretd	0_2_00007FFD348900C1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B1133 push ebx; ret	2_2_00007FFD348B118A
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B00BD pushad ; iretd	2_2_00007FFD348B00C1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B11BA push ebx; ret	2_2_00007FFD348B118A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3476D2A5 pushad ; iretd	3_2_00007FFD3476D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34952316 push 8B485F95h; iretd	3_2_00007FFD3495231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD347AD2A5 pushad ; iretd	6_2_00007FFD347AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348CC2C5 push ebx; iretd	6_2_00007FFD348CC2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD34992316 push 8B485F91h; iretd	6_2_00007FFD3499231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD3477D2A5 pushad ; iretd	11_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD34962316 push 8B485F94h; iretd	11_2_00007FFD3496231B
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 14_2_00007FFD348A00BD pushad ; iretd	14_2_00007FFD348A00C1

Source: OXhiMvksgM.exe

Static PE information: section name: .text entropy: 7.829056816610667

Source: X.exe.0.dr, 9M4B1GrUSVl6ZkgZecK5.cs	High entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
Source: X.exe.0.dr, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.cs	High entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	High entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
Source: X.exe.0.dr, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.cs	High entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	High entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
Source: X.exe.0.dr, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.cs	High entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	High entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	High entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
Source: X.exe.0.dr, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.cs	High entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 9M4B1GrUSVl6ZkgZecK5.cs	High entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.cs	High entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	High entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.cs	High entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	High entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.cs	High entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	High entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	High entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.cs	High entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
Source: X.exe.2.dr, 9M4B1GrUSVl6ZkgZecK5.cs	High entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
Source: X.exe.2.dr, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.cs	High entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	High entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
Source: X.exe.2.dr, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.cs	High entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	High entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
Source: X.exe.2.dr, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.cs	High entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	High entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	High entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
Source: X.exe.2.dr, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.cs	High entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'

Drops PE files

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	File created: C:\Users\user\AppData\Local\Temp\X.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\X.exe	File created: C:\Users\user\AppData\Roaming\X.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\X.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\X.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run X			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run X			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Memory allocated: A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Memory allocated: 1A4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: 1A690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: 800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: 1A400000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\X.exe	Window / User API: threadDelayed 2386	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Window / User API: threadDelayed 7446	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5278	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4521	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7108	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2410	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8453	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1139	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OXhiMvksgM.exe TID: 3852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe TID: 6280	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4620	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288	Thread sleep count: 7108 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288	Thread sleep count: 2410 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 8453 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 1139 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe TID: 7016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\X.exe TID: 2612	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\X.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\X.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\X.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\X.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'	Jump to behavior

Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Queries volume information: C:\Users\user\Desktop\OXhiMvksgM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\X.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Queries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\X.exe	Queries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformation

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: X.exe, 00000002.00000002.3286114138.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3286114138.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OXhiMvksgM.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: X.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OXhiMvksgM.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: X.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.22	activities-mustang.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
activities-mustang.gl.at.ply.gg	147.185.221.22	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
activities-mustang.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OXhiMvksgM.exe

Avira: detected

Antivirus detection for URL or domain

Source: activities-mustang.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\X.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\X.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["activities-mustang.gl.at.ply.gg"], "Port": 54756, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\X.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\X.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: OXhiMvksgM.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\X.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\X.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OXhiMvksgM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: activities-mustang.gl.at.ply.gg
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: 54756
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: <123456789>
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: <Xwormmm>
Source: 2.0.X.exe.6c0000.0.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: OXhiMvksgM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OXhiMvksgM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\X.PDBrces source: X.exe, 00000002.00000002.3318294673.000000001B87C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC4Qo$ source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbPJ7n% source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbZO source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbh source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb` source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp, WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbM source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbE source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER635D.tmp.dmp.18.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49995 -> 147.185.221.22:54756

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: activities-mustang.gl.at.ply.gg

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49899 -> 147.185.221.22:54756

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.22 147.185.221.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: activities-mustang.gl.at.ply.gg

Source: powershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000006.00000002.2351552133.000001C967B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: X.exe, 00000002.00000002.3289710637.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2259000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2508262262.000002B277C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cou
Source: powershell.exe, 00000003.00000002.2215673599.000002BAC2031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2272627958.000001C94F361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2382285589.000002B200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2382285589.000002B200228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2231638777.000002BAD209F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2335806217.000001C95F3CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2483230745.000002B21006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\X.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Code function: 0_2_00007FFD34890A21	0_2_00007FFD34890A21
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B8CE6	2_2_00007FFD348B8CE6
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B2E99	2_2_00007FFD348B2E99
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B9A92	2_2_00007FFD348B9A92
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B1659	2_2_00007FFD348B1659
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B2F43	2_2_00007FFD348B2F43
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B388D	2_2_00007FFD348B388D
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B449F	2_2_00007FFD348B449F
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B1E1D	2_2_00007FFD348B1E1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3488B9FA	3_2_00007FFD3488B9FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34888E2C	3_2_00007FFD34888E2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3488BAFB	3_2_00007FFD3488BAFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3488BC4A	3_2_00007FFD3488BC4A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34882785	3_2_00007FFD34882785
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348C34FD	6_2_00007FFD348C34FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348C35FA	6_2_00007FFD348C35FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348C5BF2	6_2_00007FFD348C5BF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD34898503	11_2_00007FFD34898503
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD34898E05	11_2_00007FFD34898E05
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 14_2_00007FFD348A1659	14_2_00007FFD348A1659
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 14_2_00007FFD348A1E1D	14_2_00007FFD348A1E1D
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 15_2_00007FFD34881659	15_2_00007FFD34881659
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 15_2_00007FFD34881E1D	15_2_00007FFD34881E1D

One or more processes crash

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100

Sample file is different than original file name gathered from version info

Source: OXhiMvksgM.exe, 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameX.exe4 vs OXhiMvksgM.exe
Source: OXhiMvksgM.exe	Binary or memory string: OriginalFilenameXBinderOutput.exe4 vs OXhiMvksgM.exe

Uses 32bit PE files

Source: OXhiMvksgM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: OXhiMvksgM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OXhiMvksgM.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9908987576844263

Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: X.exe.0.dr, 9M4B1GrUSVl6ZkgZecK5.cs	Base64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Base64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Base64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 9M4B1GrUSVl6ZkgZecK5.cs	Base64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Base64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Base64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'
Source: X.exe.2.dr, 9M4B1GrUSVl6ZkgZecK5.cs	Base64 encoded string: 'SUzxqYnSIZ3rwlu3W5pG63sJOzfr5xhpGDRRLFrnnWfejlQIJNdL', 'JS0jsHU3mlUCSUFwSLdre9RG4Ci9dBvqaAg81TNQChm6YaEGxoPm'
Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	Base64 encoded string: 'gAwL7Nk4jP68a4xEytjqv7HSAcF5N7jgU2gJJh6N7HrphZjYvKU6', 'ojUmilqfK0mddif3OzHZ3jL0kqcUePYer82iIppRzALKRJHIgIB6'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	Base64 encoded string: 'UmZWuD6cpDFZ8CHTYvAcw0tFtW6KYb4dFi0Mrj3H6dFcJ6XYkiU2', 's1DbALCDBVsBxXnIpl22B4QKPS6Hgbs7fsS0PUeoKOt47ELqX8AH', 'OFg88b1Z2MvzbteZ9RMehu1PZ5rJveU3fz2i9yUKsXjfNTUh9366', 'XtOsxvNE9wyKdOh2voy0MSdSlSft9Ykpu2ruS8dpZl6iAb6IZhXC', 'iZUcKVFUVDWu1rGZW6QfpaZitdZWvsPPOhEgz9h2YL4rXvtYS4fv', 'I7ppiLkGu6Z8X9Ap68PLPY7cJF1ZGmhqaqKxKUVcnupZJgb523zR', 'gWbLobpkSqSBtLpHfrvQa1029k6vjUWUeCh4JlDB23Dad7yhshie', 'uWIYG8XoRkjd1uUQSdyaKQN9FIvsOGiYwDFipO8ulRzR0Yj9Ekqa', 'p5qguSS6LPKZnZhADHNxkgCShTX9Wc3US9CwWZ5BvWkHwZpWLtK3', 'IoxDAUCnxCryC7BpRHZfpAvgYztOwuDu9vQ4Kq08vVXgMVJ0r2vH'

Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: WER635D.tmp.dmp.18.dr	Binary string: \|\Device\Harddis
Source: WER635D.tmp.dmp.18.dr	Binary string: \|\Device\Harddis00330-7177086-AAOEMddiskVolume3C:\Windows\system32C:11904

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/24@1/1

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OXhiMvksgM.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\X.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Mutant created: \Sessions\1\BaseNamedObjects\X7Sbr9oc27SibDBmH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6852:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\X.exe	Mutant created: \Sessions\1\BaseNamedObjects\I76LbgASVOnu6K26

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File created: C:\Users\user\AppData\Local\Temp\X.exe

Jump to behavior

Source: OXhiMvksgM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OXhiMvksgM.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OXhiMvksgM.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\OXhiMvksgM.exe "C:\Users\user\Desktop\OXhiMvksgM.exe"
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7100 -ip 7100
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 2088
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'	Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\X.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: X.lnk.2.dr

LNK file: ..\..\..\..\..\X.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OXhiMvksgM.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OXhiMvksgM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\X.PDBrces source: X.exe, 00000002.00000002.3318294673.000000001B87C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC4Qo$ source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbPJ7n% source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbZO source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbh source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb` source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp, WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Management.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3318294673.000000001B89E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdbM source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbE source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER635D.tmp.dmp.18.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.3321545972.000000001BE18000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER635D.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER635D.tmp.dmp.18.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.pYWUqUlVW6wfJhUwtfW5AIYtteaZUEq36gAexTEQqLqGbx2DMyqRweHaMmhN,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.sXpyXFTMJJjZDqVTtc72mak4P8eIk29Zqplk0XhKDV4ULicqjbSl30Rlq5voKAjB5gMdSzmXXezNen8TAEIwBFxMELbt,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.GLUDyttX5fYyZvkfqSL5ZirRDVKbVEhp4CysdYGyiVkUyypHQNW481ZhTKcwx4vQNVSSyW6IPRXnGT38GLad6lWw2VBX,_0MK8YVTJXK7TpeGXeDSsYqA9jzC6ekTxbaKpDWMqnaFmQb9vHHbat5Bg0Zyn.P3tJdk6bI2DLaTfGz923qBPLXIVuUbUnXzEqflECKDASAdJAEJ5IBJTC1zkHVzxOiIofl5LpLGXoDu5DJsBXHcA6GGlW,_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.ofMZ9VEBceqexkmHlEZy()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2],_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.IhuSliPKALz9y7u8ffAK(_0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.RgihGvOLC3SonEoxJQr0(xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { xPfjWjpHig95oCN508B6jljkHG4AU3Sd7BRjJHQ1idrmz8hm04kM3GSMbWcFU3RxstIDYFOOz3Al0[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: _12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E System.AppDomain.Load(byte[])
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa System.AppDomain.Load(byte[])
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	.Net Code: PvrYJtHemm9uLj0JOFM5wcm6u4jG6H88ntpjN0tNAkKSS5ls630t6F1j0QT1HjRt9kuU8OVsHkgEa

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Code function: 0_2_00007FFD348900BD pushad ; iretd	0_2_00007FFD348900C1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B1133 push ebx; ret	2_2_00007FFD348B118A
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B00BD pushad ; iretd	2_2_00007FFD348B00C1
Source: C:\Users\user\AppData\Local\Temp\X.exe	Code function: 2_2_00007FFD348B11BA push ebx; ret	2_2_00007FFD348B118A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD3476D2A5 pushad ; iretd	3_2_00007FFD3476D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD34952316 push 8B485F95h; iretd	3_2_00007FFD3495231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD347AD2A5 pushad ; iretd	6_2_00007FFD347AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD348CC2C5 push ebx; iretd	6_2_00007FFD348CC2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD34992316 push 8B485F91h; iretd	6_2_00007FFD3499231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD3477D2A5 pushad ; iretd	11_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD34962316 push 8B485F94h; iretd	11_2_00007FFD3496231B
Source: C:\Users\user\AppData\Roaming\X.exe	Code function: 14_2_00007FFD348A00BD pushad ; iretd	14_2_00007FFD348A00C1

Source: OXhiMvksgM.exe

Static PE information: section name: .text entropy: 7.829056816610667

Source: X.exe.0.dr, 9M4B1GrUSVl6ZkgZecK5.cs	High entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
Source: X.exe.0.dr, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.cs	High entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
Source: X.exe.0.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	High entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
Source: X.exe.0.dr, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.cs	High entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
Source: X.exe.0.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	High entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
Source: X.exe.0.dr, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.cs	High entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
Source: X.exe.0.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	High entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
Source: X.exe.0.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	High entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
Source: X.exe.0.dr, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.cs	High entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 9M4B1GrUSVl6ZkgZecK5.cs	High entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.cs	High entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	High entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.cs	High entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	High entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.cs	High entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	High entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	High entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
Source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.cs	High entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'
Source: X.exe.2.dr, 9M4B1GrUSVl6ZkgZecK5.cs	High entropy of concatenated method names: 'l0FiV1uyY6XgHt1KUrCt', 'x9AMaYlzzX1eaAnfI7aq', 'rBvCVuSeBtaLNni4uEvf', 'YJOXWQkCwCpQPvykZx69HSDgoQ92vJWowUCO06Mg3q25tn8xMU8f', 'uLmSXH0siGZKk0AKRxeGKs3LwzgqTG2bmIBwOZM0GlQSdplxX62g', 'dcpgf1D4BTcLq9uOmgjRFIN15pnhroIITDtLluEc02EHBaTEjoRb', 'EjdlsvOedAhnZLG62s6AWE0GfGgBPdypla0hvb3Yv5s0CjAMSTj7', 'qM7IckYa6hctTc57jAiqie8G4GsL0I4EoQRJMXufdbRYme8U5Hj5', 'eANpGBvDnau4a6vSKvVjLpl3MOjnGaF1bKCCUehA2YSukkYly6b0', 'fFbJhnxWLyXLCjL08Q6w9wFHJuzOldlvHBzlcw9H5AX52ENfT1gi'
Source: X.exe.2.dr, vj570uwkd7cUNklRh7kC10hlZMwhwjtBuflh4kXo8tfARZksd2cbVfOSTPfMQYtdnk0LCXp3JQHLu.cs	High entropy of concatenated method names: 'nBjxIeG6fcQuivblrEHPOVYpIT8CnDkSxir4BNVmQlEUcST19QjWAgu8CM2HIahH12WbGGAo97WAP', 'QeGh0FifMu6r5t0l5HxHYCaUVROYajtQ4eWtqrwl2bmfb29CmkxNFTWdbEbkjYZaj7Op3Xpj6bNds', 'KRVxlIvZG3gbNxoYa29sPsDHx5uJXu9pW7l2K0Rso8pOK6GCD5liIEbGf1qoml5cdelBbZNwgFseE', 'M5kJDkjBtjpu7HNmrhmfuOnXX47RJgvzVKgZZyzIxsx9sAxyylC7hWB54qrgWjPb2Gjv6gRONVAxR', 'LXgHbKZ8MtjAjDTqHldz', 'TffD3rp7aUsPuNH2daSy', '_4avzKuuxSTYLH4YW1BsS', '_31pDrWITj2y887pktCZr', 'YY0ZprY8oX1XWHhWjihj', '_6sehBr4kQiuKXmLTwfN1'
Source: X.exe.2.dr, qA3xJ08zpQfs1PatXRChKIXDeVAhCBewikgOBqqDD7Z0DpJ0Y1cBDtBKuydSRKnqbyrVaAnRqA98w9KmmChGdJb3zXxK.cs	High entropy of concatenated method names: 'h1vX4Vzkw1ff8uXp6vttbhpb9yFQrv3VfI53CaL29ZDX8UHicEM4kwYRXqX9uDCw8KOFEJT8BNbTiWP9n9kPZ1HcCxlT', '_12dsdNZ7dv2yFnwrQmNZ1lTtF8EgnIZTMSyOk1jeOAi2VgluGmiPixkr5sG6UeGD19WuF8kzjIJnt6UJI3Zh9YyjI79E', 'JQhqx6wvf2kikAuVvxK1x1JsDSEu74pqTRM1nx8QGKGvU4R04kUe3VEK1LRy8PYx509YpXZ4oKOoqkpaQk1U5kVGlaUd', 'FhgatrPhZKNy5QLTl67tRVW1DPfXOo1UyOFba6UhREAukvNcTGQoqJlphNbh5jUXHFAS5pdqnZPf2PIGYBGFgUwBwuyZ', 'c43NLo0Ak8GyU4KxoRNIvxGPK0YwEK340AYIGiGjwiG21xT88bfGWMbovJ85T7GsdDW7VjXTsVXf0S1g7m1qnjKbsMbe', 'DiL9HeA0NuvC2GDGi8JRubPgKKTYcocLq4BLtmmMANm6WPDy7uuSZftGE4WpEuphlQ4byPVIfCdZOaROb55Dt5UdhRoz', 'P9MZcOsh7DQp81YscuSjPuv6yIIEe0tSh7nfICGLoXTUrFWlabaoGfV5BbFDsc11FcQLchaP3wAcA', 'mfVlzF8bQX6xCw7yPQcjlUYAb7GeqGmpyPi2LA1C0CneK4Txl2rLe18hRdzR0pj2Gl2X18LiqUq8f', 'q1D5EIMuXr9n143pqUJXSTCUfVYXcmkbttFkRhDS6RtlSB7WELh3F3AsnOIcWMEiuaFLP34TnrzUT', 'susH1NZtA8ujwzdPVH3Yfsc6l7AwqKt5ibgBpsHOQf7DHwwPhBaNsj8xLiiI9tMGnb2LnqQqH2n7C'
Source: X.exe.2.dr, umwp9AMg5lxEEt7pD1HOrJazhdph96HqgMOndolUFCAXavvFh2xFOg6kVr9JWMwETKIv3g3aufJtos1WryP7daOl6TBz.cs	High entropy of concatenated method names: 'FOeo5xICROFmt6uFpXHkVl34iNsISskc8tMyxTOPRiaWZ6ICMMS0ivnqoepkgCCxPxhVxT0CZcQivXSuYedr9dHP3RF6', 'iQCE0eg6JTQUuoQe8DhaYfKg9zhFVPl8L1Flv5byiQwBqZmnZumGoe7NY7jiNdsdsZ0uEbV8i5npuzxpZblKqAw4OTMF', 'jaMGxxuikP2emh88lWzAFP8DB6iwJnL05suEkVlyE3tKnOqAU0EhbdwsTA3LD7nB3NaaWFxv7LgjqMJC421TfHALTDyD', 'MNgGPACbvGd51gJmUqPeb4qQBDXDp0piyEwQG08bKWdHTtGwPyJ04aQttQOidBfcgBFksyeSFfZP2Gt8fDulGVtTXanE', 't0kvSS6G4yA96Egr07T5', 'Uv69mFvL94TvYyd7OPzd', 'Of2jC8FjEg19qQbcnw9m', 'u34pSCrrRlWS55rY0zK3', 'JVJcn9Q0gjeM9Fj12H8I', '_53ntAmuOr6cx6o4ZoEbp'
Source: X.exe.2.dr, 8jqRj56t1eC6Zn1HQ3Byj9Q8NPI0qatoGc4agj0kiAGLl7xzEbvrDYTlyVDboGRRVg6jvw3MgeOFM.cs	High entropy of concatenated method names: 'e3CGvr5qu08Fb35l7eNlsgpvSSv9fbx2EsWlDYKlBCKIef4jJWjoz7zW8SnaTQUieNKwMBkVrnds3', '_81bkgQzNaOgSB5AkJmtU0AKwuwObGnN8UZH0Slcb6bOeGazOZaJfuyS3WC3zHoxKTFNx4SpbId259', 'xawXHo3NYXrSxuoQUWHrEKXnkBmkdBUa0w3FDKZgKXxOkLcuOEe5x5XBtE2YNlcBg590VmJ5lsS7X', 'PXUnBCr96jp93lLT0JyC', 'WBExqciHffEchvgxPUb5A7qXliQqjIIbzopyshNzFKPAmOMT7VEs', 'Ca2bioiJl6L9AQJv9ZRWzdNosITvoyFOJrbGEiLKP1qNwrjWbEKn', 'KPR2jSqBT58tZl0wLYYxHdQ8CJXYjzNkCbl345DKDkvKfv3nxtiv', 'SKuoyafNzcMmWgoUJLFzan7mrRJQ3iokB4rLG2b29lK2mth0HNE8', 'EPnYrnRyW6DKbhZkh5w55hovwH7oHHd3mfz1weI4L3UTr1ypBDWK', 'ziGDhFmyiTiduHpdPtPwSzct1zWOJGB4XCniUPegm2EKCDf9evbP'
Source: X.exe.2.dr, XTmjNlBDLPEMlUHpxzRnEHkerr4bOLgCksWpohEld3ivOptA0jWgPH7PX8TyQTMDNEEQ33XDcgcfd.cs	High entropy of concatenated method names: 'cF4yNTFzVIstnUm8H7yion0tg73JTPQqrrkDHsIyiaLqLKL9oo7WTFmbmTwCW8fnvf6B7GyWJqNBZ', 'pcYKSGFFNvV0xt9z8D8l', 'uLMek60WbIZjYAWvrouB', 'i0YKwq8mVUfSIBhU1X5C', 'tHtrQEH5E3P0OKXxe2ga'
Source: X.exe.2.dr, 0I8x8CYiEfbBrQz48jeJtP3VpG4pYsXDq3jbVqKcsFzvJEN4i2thRSuAB9c7dhEd4kFpZeNLprol8.cs	High entropy of concatenated method names: 'kX2TuQmq5YwmdrVgKSZbaz6tzU5LdL0LIf6xbfdpvKj4p34yOUgQibyuVTdIjVKWZbb51KihKKSEL', 'hlsiJeax9t0djIDxWYLh', '_7DTKPOVQzZCFF5auyIJW', 'lsUqypPPrfMsFP731HaP', '_3HJYTd3gZh6Gvyw5I3CQ', 'or2Az45P6yScNtqYScIZ', 'BfTBasLanFRRnd0Rk2QY', 'nQjs7TFwEWFrlzh9taVg', 'YI9q1jCi0u9qjW1H1zo5', 'RgihGvOLC3SonEoxJQr0'
Source: X.exe.2.dr, DUHYyL2hsDtmJ2VlWUva7I27wPlHX3n1EfP8INb8knxtpGp30H5E1wO1C3roC5b4aolWyafzGbBheCrredHnhr3wAzf9.cs	High entropy of concatenated method names: 'NziW8XSXfJLEIrUXdk27fC3VOp8XereqxkSWBN9Nn0p3hR830oFjsV48alZVOj7MkW3kD6Gfg7hhegS755wvYnROl511', 'BsM3GwSQ4UIraYKsC5zwhpH6gZSUutMGX7J5ZalGXrphtO3ewPjtGAO8MeDyKpXvsjGZfIvWjbgaeVGHBvc7v8Y9ZgKx', 'kK0gh0IB8ZyvMocq8TIcqlcI2h9Y421OiFFQOO76jfaIqjQhlaLYrjRACreHcbyHLceK69Rd4hd7CIZJNDhv3W8HonCx', 'zRWZutwZXj1RBmScTQrRBr1wep1Z48OAoKi66ideNBZUwwLBiIVOjLb6eqfdmtJRHhE0kCBiXWPXWcIl9FWvAmW1um7C', 'zQQH2LNvnG9w7CkJ2o5aP4oXBAu4251ZQ2oy0M0lSmu3jgX1nckZRed66IT94dgiGI345nq5Dl5LqIxcXnNJ0oJFBEKd', 'fbVzelS7wR8lIxmWsfI7QJ2GmpKh4OCS3EMaDq0xrOjhjviMWe9yERBfBUoHddSPgTlEnlV2XL6SZKZg0Xn8xRb1xpds', '_5uEWX5v0Yi6UGtXMTWATXugNKycCboZIAHUJzre6dxgJkzBI73PiLqjRmpVU5IpINgvHTcES441N2ZauzX6pZ4KReoa9', 'poyoyh0G0GhwPzbsrCuOfxuFCALsD6V9S5AnSOTodmuXJmfUQvRp4xaa38nQdisbMdHaIYku5osklbOh1b6oAFaXQumP', '_0GpnysDlukr8QC9sQfhUrIB4PoThVtgsm91VJZZFFWOCkcumP8MSZjv2B2u2arIDYAUqvCn8sSQqMvaol3JUnqcfbOZC', 'bnz0OR7SHsn8KYA1z3WWNXDzT5tIuovrIVycr1YyrdcwNJrGrHWxcgUSjomqk4ADLRbx8xOv3k6e71NJ07K7r5pZpvzg'
Source: X.exe.2.dr, ShiMiSw6hOXz3m28qaYKiilCTtdUCmTGs1qRUugYwzzEcoaavnggxyLXBjcEJNNEqjHFmzwdoRwei.cs	High entropy of concatenated method names: 'IbGF7xgffy69flOyKyC5GxJTISImhFC0w7rSn3xNSehozlZU1EqaZM6WUNogfSej0qtJXXhzDGFCB', 'Hho8UW8EYm9TtigbIjuV6vC6mzx49vMrbDcaVBuV9b9nUqGrLsHKBwwOtBjzLJtwsOVbIjDFMkeRj', 'EKtlG9oinIjvC2lCWCVAEmbXVHEZkKG26DaOiIL4MnlfHt74NJZsKIyuj8SbL25XmazQ89mqKqjCt', 'smbGajaQsBxA7l54zd04', 'aFhb5tTBZRnJvrvaKiyu', 'lMUzmSdFWCG3IXDxLE4O', 'gPlgDAgTyg6BJMel76lS', 'k14Xa0PqtNpNiI6gI9v9', 'Sf2muGgQ60OcASgVHVRN', 'nIzjKwPkAudF7qhkwVy8'

Drops PE files

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	File created: C:\Users\user\AppData\Local\Temp\X.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\X.exe	File created: C:\Users\user\AppData\Roaming\X.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\X.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\X.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run X			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run X			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\X.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Memory allocated: A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Memory allocated: 1A4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: 1A690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: 800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\X.exe	Memory allocated: 1A400000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\X.exe	Window / User API: threadDelayed 2386	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Window / User API: threadDelayed 7446	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5278	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4521	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7108	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2410	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8453	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1139	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OXhiMvksgM.exe TID: 3852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe TID: 6280	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4620	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288	Thread sleep count: 7108 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6288	Thread sleep count: 2410 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 8453 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep count: 1139 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe TID: 7016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\X.exe TID: 2612	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\X.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\X.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\X.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\X.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\X.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Process created: C:\Users\user\AppData\Local\Temp\X.exe "C:\Users\user\AppData\Local\Temp\X.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\X.exe'	Jump to behavior

Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: X.exe, 00000002.00000002.3289710637.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Queries volume information: C:\Users\user\Desktop\OXhiMvksgM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OXhiMvksgM.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\X.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\X.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\X.exe	Queries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\X.exe	Queries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformation

Source: C:\Users\user\Desktop\OXhiMvksgM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: X.exe, 00000002.00000002.3286114138.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3286114138.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3318294673.000000001B800000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.3318294673.000000001B8B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\X.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OXhiMvksgM.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: X.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.X.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OXhiMvksgM.exe.24d4310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2171213826.00000000024CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2145180452.00000000006C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OXhiMvksgM.exe PID: 2788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: X.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\X.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

ID:	1557206
Product:	CloudBasic
Start time:	19:23:06
Start date:	17.11.2024
Sample:	OXhiMvksgM.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	651429675c1d86cf068746159aa66b6d
SHA1:	aad51d3448cb1e9f337a985ed840a0064d5699ee
SHA256:	30258a07cc6d0fa827544493e9036e955056da88d0530efa8cf3535ecbf8e75c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X.exe_2883bebedfe0a947abfaed60a9497f85b63fa3ab_10868351_ec699ee9-e9a8-460e-8bd9-cd651ef3aa8e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F26E795552BAE8CC1CA5F149A72AC022	3D7BFC69BFF90C4BEB361EE8A13126F087AC0F7D	98B503380FEDD9F583DB5B149BA724CCD6DA6FDC13DFB67D6FF986FEB1B202D5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER635D.tmp.dmp	Mini DuMP crash report, 16 streams, Sun Nov 17 18:25:52 2024, 0x1205a4 type	1B424847E4F744929A9DB566ECBBBEF6	636ED899E90F19EDDA353AF12B0B40E6CB0104E6	8F589308B97A8392E396816B6FF8768DB802ECA518D39B83E8CD5D74487D6D91
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6504.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CC760EF0A225EC0B41B12F4A4D77C597	B4E0FCB10D0CB26A38E1661EE4523E3246C70EEF	BFC1FBD758A397B428BA0D71950A2683440FE8448415752B55ABB7173BBAE41A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6543.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4A3963020399D1D319F1B15B3368414C	75A5A0C9A289493DC39A18C379354A36911512AF	F34DA58A0BDD6A9BCFF0473E3A58BD7A2551E9E85B5B05D987F6AE803B92257F
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OXhiMvksgM.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\Semo.exe.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Oct 18 19:21:12 2024, mtime=Sat Nov 16 19:25:29 2024, atime=Sun Nov 10 22:05:12 2024, length=968192, window=hide	87454103F3D64B8A7167915FB7743A20	07249045C09C432FEA3DBAC21FBBFEBE7C76620F	119A6BBEC9B7221CC7687FA12DD2CD0D8FF91A17F073EF1EF649FF346B40BC84
C:\Users\user\AppData\Local\Temp\X.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2C76B88A912C741F1404B400C1ADD578	13D1B6D341D59AEF6833A4123E22484DDB665183	5178365164F71D22459D807A5BA61E8D50DD15A4ADB4A00B08248C6F141F8074
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00fd4eos.t33.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10v1h1h1.vja.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mqi5pi0.hdf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yanlcpp.fn2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwx5cq5u.kd5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gapu0315.y0y.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmrsoecl.u1a.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kxybqzn5.3nd.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogcykjou.cua.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skhan0r1.1qo.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdvefrgy.iwg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4tdsawi.k3i.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 17 17:24:38 2024, mtime=Sun Nov 17 17:24:39 2024, atime=Sun Nov 17 17:24:39 2024, length=62464, window=hide	3A247E5328AAB2E3737414204029E0BF	E48F93A994EF2F77C4A4DD05151ECC0DF73F4426	E2F923401E843AC9E266CBFB20D797F89D96F5239BECFB0A1479A5440308F4F4
C:\Users\user\AppData\Roaming\X.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2C76B88A912C741F1404B400C1ADD578	13D1B6D341D59AEF6833A4123E22484DDB665183	5178365164F71D22459D807A5BA61E8D50DD15A4ADB4A00B08248C6F141F8074
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	11984E7E8E4CCF670650A00815F258EC	7AAE2C73823D93921EBB0804C33CFDFC3C01FD7E	E8D059F40C27FFA13ECB5C4046B441FF725D8CA4AE60961DCA1FD7587D16161F

Windows Analysis Report
OXhiMvksgM.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report OXhiMvksgM.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
OXhiMvksgM.exe

Malware Threat Intel
Provided by