Windows Analysis Report
jXtV6KO1A7.exe

Overview

General Information

Sample name:	jXtV6KO1A7.exe renamed because original name is a hash value
Original sample name:	05488f673ffd2063badad75aaa0f7d83.exe
Analysis ID:	1429027
MD5:	05488f673ffd2063badad75aaa0f7d83
SHA1:	15d293a62da1a91cd85fa617c49ec37457ed5c2b
SHA256:	d3fdc737b6c67b92e239b72492106972d4d599fb0b6aa83e0b5de1cba771c3ad
Tags:	DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jXtV6KO1A7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\Desktop\DSJnFhkO.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Users\user\Desktop\FUwWbQoJ.log	ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\FUwWbQoJ.log	Virustotal: Detection: 30%	Perma Link
Source: C:\Users\user\Desktop\LAruMjCr.log	ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\LAruMjCr.log	Virustotal: Detection: 30%	Perma Link
Source: C:\Users\user\Desktop\LIbMrSdw.log	Virustotal: Detection: 7%	Perma Link
Source: C:\Users\user\Desktop\PqilTgDk.log	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Source: jXtV6KO1A7.exe	ReversingLabs: Detection: 71%
Source: jXtV6KO1A7.exe	Virustotal: Detection: 73%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jXtV6KO1A7.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Unpacked PE file: 0.2.jXtV6KO1A7.exe.3520000.8.unpack

Uses 32bit PE files

Source: jXtV6KO1A7.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\ee2ad38f3d4382	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\9e8d7a4ca61bd9	Jump to behavior

Source: jXtV6KO1A7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.pdb source: jXtV6KO1A7.exe, 00000000.00000002.1834254846.0000000003E86000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49736 -> 104.21.20.157:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000016.00000002.2159012209.0000022A3BEE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD83FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.00000243308B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304F077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209264D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004695000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C2BC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: jXtV6KO1A7.exe, 00000000.00000002.1834254846.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2159012209.0000022A3BCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD80C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.0000024330691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304EE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209262D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C29A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200001000.00000004.00000800.00020000.00000000.sdmp, hYMmOtYRdhDhf.exe, 00000047.00000002.1936550000.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.2159012209.0000022A3BEE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD83FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.00000243308B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304F077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209264D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004695000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C2BC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000016.00000002.2159012209.0000022A3BCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD80C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.0000024330691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304EE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209262D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C29A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester

Creates files inside the system directory

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\23fc0d88861170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP

Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 72_2_00007FFD9B890D48	72_2_00007FFD9B890D48
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 72_2_00007FFD9B890E43	72_2_00007FFD9B890E43
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 80_2_00007FFD9B880D48	80_2_00007FFD9B880D48
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 80_2_00007FFD9B880E43	80_2_00007FFD9B880E43
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A107C	81_2_00007FFD9B8A107C
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A0000	81_2_00007FFD9B8A0000
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A0ED1	81_2_00007FFD9B8A0ED1
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A01FA	81_2_00007FFD9B8A01FA
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A01D3	81_2_00007FFD9B8A01D3
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B890D48	81_2_00007FFD9B890D48
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B890E43	81_2_00007FFD9B890E43
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A15CB	81_2_00007FFD9B8A15CB

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\AUxWHHiO.log A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\AZuFUlyQ.log 873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C

Sample file is different than original file name gathered from version info

Source: jXtV6KO1A7.exe, 00000000.00000000.1635044803.0000000001306000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs jXtV6KO1A7.exe

Uses 32bit PE files

Source: jXtV6KO1A7.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@84/148@0/0

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File created: C:\Users\user\Desktop\taSXmSLk.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Mutant created: NULL
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-MhLmxgcY3RcYqiSTprPX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8508:120:WilError_03

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File created: C:\Users\user\AppData\Local\Temp\hoedt554

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"

Source: jXtV6KO1A7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jXtV6KO1A7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jXtV6KO1A7.exe	ReversingLabs: Detection: 71%
Source: jXtV6KO1A7.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File read: C:\Users\user\Desktop\jXtV6KO1A7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jXtV6KO1A7.exe "C:\Users\user\Desktop\jXtV6KO1A7.exe"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFD2.tmp" "c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: unknown	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: unknown	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\jXtV6KO1A7.exe C:\Users\user\Desktop\jXtV6KO1A7.exe
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\jXtV6KO1A7.exe C:\Users\user\Desktop\jXtV6KO1A7.exe
Source: unknown	Process created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe "C:\Program Files\Common Files\System\ado\en-US\Registry.exe"
Source: unknown	Process created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe "C:\Program Files\Common Files\System\ado\en-US\Registry.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe "C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe"
Source: unknown	Process created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe "C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe
Source: unknown	Process created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe "C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFD2.tmp" "c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\ee2ad38f3d4382	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\9e8d7a4ca61bd9	Jump to behavior

Source: jXtV6KO1A7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jXtV6KO1A7.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: jXtV6KO1A7.exe

Static file information: File size 3682816 > 1048576

Source: jXtV6KO1A7.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x382a00

Source: jXtV6KO1A7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.pdb source: jXtV6KO1A7.exe, 00000000.00000002.1834254846.0000000003E86000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Unpacked PE file: 0.2.jXtV6KO1A7.exe.3520000.8.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs

.Net Code: Type.GetTypeFromHandle(C5Ps4sEwxoRgsMuZ5KP.xLqKmLeHYN9(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(C5Ps4sEwxoRgsMuZ5KP.xLqKmLeHYN9(16777245)),Type.GetTypeFromHandle(C5Ps4sEwxoRgsMuZ5KP.xLqKmLeHYN9(16777259))})

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A92D8 push esi; retf	81_2_00007FFD9B8A92D9
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A9ADA push eax; ret	81_2_00007FFD9B8A9ADF
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A01D3 push FFFFFFE8h; ret	81_2_00007FFD9B8A01F9

Source: jXtV6KO1A7.exe, v9wlNN90KHNePaOdLWf.cs	High entropy of concatenated method names: 'Close', 'qL6', 'Jtg9CRy9mV', 'IHr9878dOC', 'vBG9IilKa8', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	High entropy of concatenated method names: 'VxgYUg4G8xSyplGHp69I', 'ELKFkG4GICPqj8UHlFJ5', 'XTkGXpmned', 'mxypjo4GNjYyyPe57iGf', 'bh3CnM4Gq6Cw6fo6bV6m', 'dVX5Zf4GQH7axc6cI5gH', 'REDSpn4GiIB0FBkRGdf7', 'QNWpab4GVav74Q7O1h2P', 'mr20iO4GyvBIvxiRKIXm', 'dMaOid4G3R19eCMmxrgf'
Source: jXtV6KO1A7.exe, TJI8QMETuBbK7WvNDqh.cs	High entropy of concatenated method names: 'iSGEP3OoDQ', 'EkEEkJgoN5', 'ow4ERgkK4Q', 'TxfElGMHmR', 'oMNE94iTGD', 'gjjEOMdxjv', 'GxCE0TKFlm', 'ApSEfE5gId', 'qWmEC9a3qB', 'iARE8n31Ki'
Source: jXtV6KO1A7.exe, NIwBwAjbtQo4VncamWM.cs	High entropy of concatenated method names: 'W5ojHHOmBR', 'aHXjwQAEOi', 'udYjug2UsZ', 'CZnjak8evd', 'hx2jv4Pif6', 'VLeBCh4q3RHN2FqjsE9T', 'UoGw5R4qVWyCkpaoaFUC', 'XvfMhW4qyGWgoIa1LaC8', 'YNsmuL4qdP3tntZKOWPc', 'N4yQuo4qtQB5EAwZmt3X'
Source: jXtV6KO1A7.exe, kK23xlrR3usDBoqg1v.cs	High entropy of concatenated method names: 'oyvONlAk8', 'fScOPI4j9RrQF45C4IhS', 'whFyi54jO4MrS8bnuAYl', 'BAkrTq4jR5HHPIso6PrZ', 'Twxwq94jllLPr5UjGQVo', 'FwfhwRoLX', 'rgU2B2pDn', 'UgsgRFUeC', 'HGB6PMpdK', 'UW21udg3A'
Source: jXtV6KO1A7.exe, tUY1UR4X5CI5ZGd5aXp.cs	High entropy of concatenated method names: 'P9X', 'iKw4AZSQFT', 'ETC4FWM0dMv', 'imethod_0', 'Piq4xKWOAY', 'XOXx4Q4sABueJ0dJD7oj', 'hJFm4Q4sxR6e2cfEkbwI', 'eR7B514sXSJf4M9pDJud', 'g5ucxi4sZYJywks1Uyaj', 'nsRASQ4sGr9HIXNLZOeJ'
Source: jXtV6KO1A7.exe, bBMmLcxWbZnJbGZ2scE.cs	High entropy of concatenated method names: 'LNYxB9tPlT', 'UMoxmHO5Zp', 'tlnqth4GT58i3br3M6dX', 'I4TLln4GhfRn1uW7Jmnv', 'UBLn3h4GvCFqGL530R98', 'GVIoit4GrRdZJunCwcYG', 'ogqPUi4G2Z3rW3MUiap6', 'll9xml4GgileFWtnU9qc', 'OHgxKX6VlK', 'SBgLq14GHgapSB8xf6GH'
Source: jXtV6KO1A7.exe, JvThxUPHhs3fRiKhErn.cs	High entropy of concatenated method names: 'psiPu8RGjC', 'HnqARB4i3mEq9XlRiiJu', 'EM7MK24iVBKN6wwDBabB', 'nOv05r4iyIC20j16dc61', 'w3Ter14idoHx0aZOW6VF', 'dvhYKb4it834Ab2X0sEg', 'v9kefv4iXd0LXh6xEVgn'
Source: jXtV6KO1A7.exe, c6b4k4ZlhXdc3Re7pCp.cs	High entropy of concatenated method names: 'vw2ZO666ba', 'YEJZ0SsbU7', 'NdWZfuaox8', 'cx5ZCru093', 'STGZ8SLdon', 'KcFZIEmhCD', 'kg2ZMC1lbe', 'FgmZpYGcq0', 'o8qZJUlWgd', 'BUyZNJGnth'
Source: jXtV6KO1A7.exe, TRFNR4ARNGBxQwYlgx3.cs	High entropy of concatenated method names: 'WjqA9nMFTe', 'COXAOvl7ZX', 'ePZA0lDBIg', 'RatAf0RxZk', 'Dispose', 'Ex51Mo4xX5rClsAUE0Oa', 'BM06VB4xdIM8Vn9y4SbK', 'tkTtoH4xtBEMqc2wATgF', 'Pcpdm84xZ16f9m9PsJ93', 'oY1KLE4xANnrC9ODUQKF'
Source: jXtV6KO1A7.exe, NAxTBWBIXyo4Iv3CN0u.cs	High entropy of concatenated method names: 'qUqBEoufMc', 'SAa0CI4RW8qeD3NjH0yQ', 'SGhs2R4kU9qqwK1XFIR0', 'u3yaNb4kzVH7oCteiyBq', 'SaBX9p4RBBdILIMwMjp8', 'ii0ZEi4RKnX5MfthHpEU', 'd06kd74ReRx5l3AaRVax', 'BrnTfM4RmEls8RqNvpoW', 'n45m7y4XKg', 'BUB70W4RY2t8vybZdM8i'
Source: jXtV6KO1A7.exe, ommZBKmoOBW8PT05Qmr.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'Tgu4FmmNWEd', 'o5v4B4peqhS', 'YsTMNJ4RLHfdNQV6eQf9', 'MctBfh4RH8Ibtcyjrkln', 'W3OMUS4RwkOnBuqPIv1J', 'MIsaML4RugDqL8EIH4ic'
Source: jXtV6KO1A7.exe, LRQw5DNVb473yjASxt.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'hGcQ8Xavh'
Source: jXtV6KO1A7.exe, bhwMZIFvakuS1yo68DP.cs	High entropy of concatenated method names: 'xuVF2RhHV4', 'PSpQR74OgZiALinTUjlU', 'tFs1te4OhaqjZiB0bFZ7', 'zrW2Jt4O2IoLr1gqWlYP', 'Jvo84c4O6LYKJYk4rph5', 'UvSFTAv6Rs', 'LPNqGo4Ov5Jk2Ytw4EDG', 'xOsoj94OrV0RejL92Grc', 'jb5CXj4OuELLyuT9XMLQ', 'tCoZGU4OaNxRkFdGycd3'
Source: jXtV6KO1A7.exe, Udqfpvgb62G1CMERL8R.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'cMa4F6WBNIu', 'Yiu4F1yrwxj', 'maExBT4p9giZrnYk8BAP', 'Ijw3WV4pOaUCVYhNXocZ', 'GJNOQ34p0s2o4KmX5Aum', 'gMXN2p4pfODjTN8evGqi', 'swti414pCGNY96hbWh8q'
Source: jXtV6KO1A7.exe, pAwyNvownuXjJDejYG4.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'sKB0yj40nkGDqSF1f9F3', 'tylcjs40DXce5glL2kM8', 'SuaUkP4051ta9dU49cWq', 'iNUS6j40jtPZb8A3383D'
Source: jXtV6KO1A7.exe, GwcZdU8qZX1tnulCMqE.cs	High entropy of concatenated method names: 'FxF4FDhQU19', 'xZ78il53jF', 'MNr8VPSMRE', 'x1a8y7CR0K', 'NiWjIT4t3paxyNUEjbOD', 'b7igrp4tdp98WncjA4RW', 'yIOla34ttjby0W31Vrxa', 'kEMTS64tX2DGpuBaNL8d', 'yA65vq4tZMp5gpm92cFL', 'DZ0BNd4tAp2PfZE5Iv48'
Source: jXtV6KO1A7.exe, EywiCwY4Cfp8WQsGATB.cs	High entropy of concatenated method names: 'JNeYektbKn', 'KQPYBuWuq0', 'zIhYm2GxTH', 'D5wIkB4lxri7lkxWOEec', 'lHFTM64lZc9uufVsZQli', 'tXbsRx4lA8Cn3vrTLMQ3', 'QXrhAe4lG2i9vYxcLw82', 'wVhEbe4lEgLmmrbpqH6s', 'hHCXqW4lUFbHhoqMu8a1', 'klJHrt4lznjP9Q6lMTFR'
Source: jXtV6KO1A7.exe, BujtVCIRZO8fnYp0raR.cs	High entropy of concatenated method names: 'EiwI94M4Si', 'XVdIO145Tn', 'GfZI0YmKc2', 'HgNIffNUgF', 'HZ3ICMwYJO', 'cTlI8tFMcb', 'nT4IIZ6xu5', 'GEhIMvlHci', 'c4pIp3EDHg', 'VUQIJ55iot'
Source: jXtV6KO1A7.exe, EKQIxo7DmryFrW8i7Bv.cs	High entropy of concatenated method names: 'zV77ROIvvn', 'x61SCN4lP0uQa0ENsyId', 'VUgo4j4lsApJVFUc4rBL', 'h9nmFb4lSryxWCiSCQnH', 'zlurlX4lkqSbv0awjhqC', 'E94', 'P9X', 'vmethod_0', 'V2d4B2qGfPb', 'pbb4FoVHJ29'
Source: jXtV6KO1A7.exe, LoowL6g4sYxDT2nlRc8.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'GDL4FhcmMng', 'udx4F25dBVO', 'qm0pu34p2t4NYBttnZ6T', 'cmn4SF4pg2eq7HYNHYRI', 'gkUb1Y4p6bH4aMJcP6uZ', 'BPOPfM4p1Kd6DXTT7LK2', 'zONWlv4pnWWXnt9YgPSf', 'rPwmjA4pDeaKtSAE2fY7'
Source: jXtV6KO1A7.exe, qhAnr0ncigOj0aqEsm3.cs	High entropy of concatenated method names: 'F3inR6PMkU', 'MYHnLbVlnW', 'nhQnHrLqig', 'qH4nwUhfs3', 'MpinukpJmc', 'TjIna5HUJj', 'phwnvQVG1Q', 'r5jnrJ50BZ', 'XBZnTxBJSf', 'DhEnhiYoXp'
Source: jXtV6KO1A7.exe, HAo0TaYoI7Ajb3yAUkD.cs	High entropy of concatenated method names: 'OBKYbSBCrc', 'xDcYLoTZh0', 'uBGDET49BvWmIhiP6viD', 'ACLlwt49KxYX6iYam1Ls', 'tc8HyC49eqCHysUktLDv', 'HCXOGC49mVyfiuU5WgJs', 't8POIp497nAQjQBaum9U', 'eMCA4Q49YJSybK6tbvrd', 'E25di249FJJ4Au1YjNKV', 'meQjno49oEUVoDwlQHJm'
Source: jXtV6KO1A7.exe, kQh1BAXCBCVc4TCn6Gb.cs	High entropy of concatenated method names: 'Xl04FjFCfSc', 'r3B475T8yIa', 'B7DnO24AI220Mq6Ut4lZ', 'caTIKn4AMdQunONH8Iuu', 'SHqbXr4Ap1US5O9fk46a', 'sSKtRc4AQYtsQs32Vj5m', 'M5wie54ANUSoSY12PRaj', 'rb27ql4AqIEI92djM5yU', 'UE8yNm4Aid3Us6Ra4N96', 'imethod_0'
Source: jXtV6KO1A7.exe, p6JESIK3YZ4Ji9ESCrT.cs	High entropy of concatenated method names: 'orneYj5gMm', 'CTkeDE4SGgtpNh7kBwTc', 'WyLJQy4SEHDa6CVDRxYu', 'wXjBUQ4SUSXcCNCEf5rf', 'NnEpTY4SACfBAxMPlo2d', 'HFJKlx4Sx18V1WNxyAYy', 'QNQfq44SzX98KXS9ZWZI', 'CJHZCZ4PWWBM6jy4gnJI', 'Nl0eWLabeO', 'MLCeKylU9K'
Source: jXtV6KO1A7.exe, m21GGnFskqjvOrpg8Xj.cs	High entropy of concatenated method names: 'SDDFP5IKcw', 'dmsFkQFZSG', 'TgHFRwoCeh', 'lQVFlGFC5v', 'pDZF91ENCP', 'XMvFOulkqO', 't6Bmad4OCeX0Yhk5VJMv', 'RLoxZE4O8IMZ6PD9hAsI', 'OIn9ok4OIPIIxwARQFL9', 'q9b9214OM7egINPDER2d'
Source: jXtV6KO1A7.exe, tDLLuNIxxmig0Ads0he.cs	High entropy of concatenated method names: 'Db6IE1Znlg', 'nplIULpRHH', 'UiiIzgkmr6', 'aQsMWqUDRp', 'oXgM4G1kXp', 'dKmMKR5QSP', 'HAWMeehWp2', 'EWpMBPY52v', 'vBVMmiUVVV', 'WxPM7QO9bp'
Source: jXtV6KO1A7.exe, Ii2mG093oJfe1YZ8GJp.cs	High entropy of concatenated method names: 'AxV9tipjo9', 'k6r', 'ueK', 'QH3', 'BC29XyvNgS', 'Flush', 'uaU9ZxbSmb', 'gbF9AW66Yx', 'Write', 'A0G9x3BwZM'
Source: jXtV6KO1A7.exe, kTPMis6H8ZQ8VsaS3ub.cs	High entropy of concatenated method names: 'c34n4nPQhn', 'J51nhO4NYOUIVjTKBYSi', 'BBFmCN4NmRNRjPGeEy7R', 'BfCiJZ4N7Rcy9vrLgIQn', 'aAf6uxsk7L', 'mLe6as3bx1', 'k3R6vRDhsP', 'ndC6rZAowO', 'PtD6TVftNr', 'gTY6h3P7E5'
Source: jXtV6KO1A7.exe, W4KCGTh89P19TGZeh9p.cs	High entropy of concatenated method names: 'G6shQJ4ePg', 'F4Ohi8q6Pj', 'N78hVUeTvg', 'dA1qX84IUeKD0pY5DPUZ', 'Rgmc5x4IztwUjVup03TE', 'yoeKYY4IGAbnHaaV18N6', 'ePqpsA4IE3qpefsbK7BR', 'FI8hM5qf4h', 'kxmhp6gp4E', 'KTEhJi4ApC'
Source: jXtV6KO1A7.exe, GRFBUSPMPg5jUfxb9C4.cs	High entropy of concatenated method names: 'K5bPJ9iCrm', 'j9QPN7tGH4', 'umRPqAVtAh', 'M2dPQCg0Y1', 'XaCPi3RV9R', 'DsaPVw2I0Z', 'E3ZPy6wq3W', 'rbEP3sh25L', 'tkcPdMTp9K', 'nDnPtDFNB3'
Source: jXtV6KO1A7.exe, V8MJwn8o1Ap0XVwIi8u.cs	High entropy of concatenated method names: 'Rk98D3TBVG', 'Rm8bOn4tCQN2pDr403rs', 'SMA7Ch4t8hZFs0qh3Qe9', 'b6LLcd4t0SuxmtgP4UBr', 'w51DAq4tfmuQdWSBucDN', 'cRfx2r4tIeJv5O11k6xH', 'IPy', 'method_0', 'method_1', 'method_2'
Source: jXtV6KO1A7.exe, PoMnViXRnWFOg9wmKU8.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'pIgX9asNed', 'ihtRBu4AcYVRgBy9L5qo', 'Si5dVN4AbTQCwEa4vJe6', 'oeboNm4ALeSuNa9swp7G', 'TMeoOQ4AHWIqnMESs3Ha', 'Oe1Rru4AwFZKJXAByvKa', 'zfkJeb4Au96pNCSrMY9b'
Source: jXtV6KO1A7.exe, ui4hJiYfH1DXNCKCTsy.cs	High entropy of concatenated method names: 'P9X', 'vmethod_0', 'vbk4BnEbaEW', 'WyK4Fb5dhyg', 'imethod_0', 'atU7dG49Nts0o80LtPEn', 'drRufu49qmSQDl5QI3lh', 'vcQgh749puMJgBZouwCb', 'PuuNqa49JXMAvZGxjD5V', 'IMtnHq49QAYnox6bxfac'
Source: jXtV6KO1A7.exe, oa7W1ARFkEQLP7BMZt0.cs	High entropy of concatenated method names: 'uriRccJHoT', 'dpsRbni9DK', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'RoIRLlBto8', 'method_2', 'uc7'
Source: jXtV6KO1A7.exe, MNu3nMSUqOjb7pB8AbH.cs	High entropy of concatenated method names: 'n0tPW0gVen', 'CVQP4fbSUL', 'fbXPKTs1Hr', 'nLdPeQMxjS', 'ymwPBgjGQ3', 'CBmPmhn7dv', 'o8XhVT4ilZmAPU0XfHlO', 'rJJrcn4i9mtQadQIltFS', 'vSvdts4iOWCmJsAKoMHH', 'd4vj0A4i0CEZSu8WTbbO'
Source: jXtV6KO1A7.exe, wa99r4gap7den2RhLSO.cs	High entropy of concatenated method names: 'xEQoPW4pEkWU10MeL6vj', 'G6wWiU4pUJ4P3gwqaAD1', 'ffsh6c4pz4t9k7vC30t2', 'qLqEd04pxVtVuQRPmqDg', 'F4VFKH4pGZWPXyBTlpuY', 'method_0', 'method_1', 'gLQgrr9YLS', 'IXGgTDiIKw', 'kwaghWuhZJ'
Source: jXtV6KO1A7.exe, DlTFDEoKTvAkdQ3KDrp.cs	High entropy of concatenated method names: 'IyYoBw7P13', 'crNomeegLs', 'yJlo745QcW', 'q5GoY1tUPd', 'SXeoFcu3ZJ', 'spyoo92Llw', 'ArvocL1nvc', 'X4pob6IFTk', 'o4DoLmEUVj', 'p9IoH0V07T'
Source: jXtV6KO1A7.exe, mUloXAzHfdRtUUdB8Z.cs	High entropy of concatenated method names: 'Cs244bQPtt', 'zIZ4eIG5Fd', 'yow4Bk3Yx6', 'z3V4mMJuBs', 'cLY474V6SG', 'SIa4YjflBN', 'TfO4oGq7jN', 'Qc7ORu4scMENyRyfccll', 'bgkLDZ4sbkmLICibITM0', 'lJPmsa4sLRfInLlhvgdV'
Source: jXtV6KO1A7.exe, YNHWV7O3KQbB4xq3GBG.cs	High entropy of concatenated method names: 'oK6rXN4dP04Fn0T2Qe1I', 'J6IMWb4dsmHZKPs2SKh3', 'UBuFFT4dShHkSFLcHSyy', 'WVjDgi4dkU2K6Dc8uhkR', 'iJeOtf6eoe', 'Mh9', 'method_0', 'AQdOXYqgok', 'DatOZBoD3M', 'GtAOA43hvx'
Source: jXtV6KO1A7.exe, Mankk1B5LrcZ46WD19i.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'AHQ4FewNKbB', 'o5v4B4peqhS', 'sJR7HK4kgw5MedVghJfG', 'rw1tcZ4k67F4hDsk5wlb', 'OL2H3P4k1JJFKQP78lyl'
Source: jXtV6KO1A7.exe, jjItJ85X8YOcEk0yhxV.cs	High entropy of concatenated method names: 'O925AdawF2', 'fjg5xAH1kJ', 'O8V5GEqRdf', 'KbF2uW4qppoylxZCJD5u', 'ejUCUW4qJV5wvjBrFMiV', 'o9GInq4qNAA6gJRS4PQt', 'prD4Wv4qqcSWhObQZkL6', 'jQO0R04qQh8GUp8Y9XnT'
Source: jXtV6KO1A7.exe, fIaqeUYh3gm51yI3aAG.cs	High entropy of concatenated method names: 'pmqYSLW8KI', 'a5soAq49SdcvKbXkn7et', 'XSClYD49jrFPWCPIuExi', 'rTno6h49s6Hc3aLoeZnn', 'Mxof6p49PCHCHXlgSn9c', 'HPMphX49kLrKkQCMTimZ', 'iwmYgeNpeD', 'vVPY6kxl4p', 'F0xY1pnUCH', 'yJvYnsVoUZ'
Source: jXtV6KO1A7.exe, ATHxGwPRr8yW0IJwj23.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: jXtV6KO1A7.exe, Tq90TRseE1rB4YEyQMs.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'sLAsmvjrqr', 'Write', 'OL4s7fx8D0', 'UxrsY0XMkK', 'Flush', 'vl7'
Source: jXtV6KO1A7.exe, MCwhNVkUFVmXpdtRWVZ.cs	High entropy of concatenated method names: 'rA0RWu4dJI', 'E4ER4nlD5L', 'Yd7', 'EPTRKN95Qi', 'S18ReBYT4g', 'fMxRBbgh95', 'QsyRmLaSxp', 'dd1FTG4ynfaI7uP9h04Z', 'wQ0MYH4yDIWLc6mWylIT', 'wqctyW4y5AaZT2vouQrT'
Source: jXtV6KO1A7.exe, zCxYFfDN5wYfVsuZW8E.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'pNiDQdZqG8', 'xmrDiqfRQq', 'Dispose', 'D31', 'wNK'
Source: jXtV6KO1A7.exe, KeW8xnYR0nIIabihyHu.cs	High entropy of concatenated method names: 'kOvY9fUXDv', 'vPOYO4QCRg', 'ohTI2Y49OmHPoZaVpq5q', 'CYIBWY49lQgY353p7fkC', 'm8Vw0j4999Qof9R5qevw', 'QeTgAH490EVTofINpSbw', 'kKrrnO49f4tBoZyWcXud', 'bxS6vs49CavARrwdMkpi', 'FmQyMO498tGUDLxOXdIX', 'bIEgSV49IYu7LRxgVumL'
Source: jXtV6KO1A7.exe, niipRxStpUAbGvpuAX3.cs	High entropy of concatenated method names: 'TiRSZlfBhw', 'sRrSAZfKBm', 'vFjSxiHayR', 'QWCSGtVnYl', 'uJwSE3vqTj', 'xGpRkV4i5kc6iJplRX5s', 'KHDnxH4inhUuAYlAm7Lb', 'rqKxbe4iD7GIVOTlBKYq', 'IvnLhw4ijKB0tyjIOpFV', 'aT8u8P4isaHfqlFr8NHM'
Source: jXtV6KO1A7.exe, u8OWbc8RjKNTH92JiSR.cs	High entropy of concatenated method names: 'Ur589mYgvI', 'Phd8Ob7bTK', 'ci180cRkPx', 'MFq8f6hyTF', 'h0F8CwaPan', 'MsS888M1lR', 'CVN8I1bBv0', 'r018MZiXxE', 'tOd8pge1mb', 'wl48Jyt9xf'
Source: jXtV6KO1A7.exe, TjduHGhSRQ6heJb5VOV.cs	High entropy of concatenated method names: 'jEChfdQYMe', 'keGliv4IdB0mWeN6CXyk', 'PfIllh4IylKehbu0LyhV', 'Xluj2L4I3KDVj7X4nNMA', 'HWkKyO4Itul9XmIqivPW', 'KvIhkXpvbZ', 'sWWhRGxCUo', 'PakhlyhsCx', 'MgnDUv4IqW24KnLJmaY1', 'fRtOai4IQMPiZLXQDWOK'
Source: jXtV6KO1A7.exe, bc4Q1pFmDsebgyLcmlH.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'gn24B5l7Zrj', 'vmethod_0', 'imethod_0', 'bNsubT4OWAjWWWNlEkJJ', 'KL15sm4O485QBwrBVYVS', 'eZf8Kk4OKI3BcbgVGqaH', 'CDSIQR4Oer7IuYkqRw80', 'sYwMVh4OBrllnAx92vKq'
Source: jXtV6KO1A7.exe, cWZfEsejZaBjaOlqp8R.cs	High entropy of concatenated method names: 'tcoeJEPccv', 'EV2eNP7EGI', 'LJXeqwjfw2', 'SJhZ4i4Ppgq2FAapq5ZO', 'rHaTtv4PIFafGZhgsNYY', 'TxtrRF4PMEvQpLyxMfb9', 'tm4eS1o3Rq', 'uHQePFsdCE', 'z5pekHhyO7', 'qFJeRnBDuU'
Source: jXtV6KO1A7.exe, OslYaUspwjD1py7hoSm.cs	High entropy of concatenated method names: 'EF0sEXgtMb', 'FBZszPWpIi', 'yaSsNfkMoV', 'lUhsql9VCf', 'l5fsQFlCy9', 'Dj0siFqW6p', 'm6rsVLEOrh', 'o0Nsyewb0Q', 'WFVs3jludC', 'tD4sdoTwat'
Source: jXtV6KO1A7.exe, oC5qAau11K4oL8jmmQw.cs	High entropy of concatenated method names: 'GLehHo5NbF', 'uDthwicOtA', 'EKbOGK4ISpIDURNNU41u', 'XPckZ54Iji5ea0nt8ETr', 'rOrP6L4IsI3CgQxNBxy0', 'M5XGAy4IPhlcvSHIoNsB', 'sbehh2ZRRx', 'DWuuGI4I9awJVcRJZVwb', 'h5GO6n4IRVMrl2ZGOrVZ', 'M8NeoS4IlWdvHnwu3OjJ'
Source: jXtV6KO1A7.exe, Ae2ONu2wJcrJpIRmd2Y.cs	High entropy of concatenated method names: 'rTB22hExt1', 'yIxdaR4MfFqyEdr0Zmjh', 'Crn3LM4MCXdGGo5ix89V', 'to9GUj4MO3h8wIxwbg1W', 'Iejyin4M0Hg4jlYkFJDd', 'jLM2aVeoU8', 'kwYjiu4MSt7BBxtFxqih', 'xkK5si4MPkjm8UI4yiei', 'fuIXtR4Mk19OlaFTP7lS', 'KyPJYx4MRUXMUEIp02lu'
Source: jXtV6KO1A7.exe, oTCP4ElgVO65XBRYR0w.cs	High entropy of concatenated method names: 'Ww39wdPX1I', 'yOmLEq43vC9FabufuvOX', 'UQdKy943raxEnvemkieH', 'kt5', 'YsFl1BxLDE', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
Source: jXtV6KO1A7.exe, wHPnojmdmDGvQXXDp1N.cs	High entropy of concatenated method names: 'RhgmGSbecn', 'c9MmER53N4', 'bZMmUrF2AS', 'HwYmziPUWy', 'CgZ7W8b3R5', 'f6V74VT0Qn', 'GWs7KXCGxi', 'qwbjAv4l7FlYyHI3DEGa', 'SD5B784lY6jiA1cC6riU', 'p8RLGO4lBc6HdFbj0jBW'
Source: jXtV6KO1A7.exe, BqhQqQonIer9iNSjioU.cs	High entropy of concatenated method names: 'UnLicv4C23GKjUeFboJC', 'aXCZIZ4CTewA45yB0YF3', 'KLOarI4ChMbKKVUxGnBr', 'A6x6N64Cg4p618JIDsGr', 'iy9wUNbCCK', 'SS4uRX4CDncqeOBIIYJp', 'QFkNms4C1XfogfLRiVbJ', 'YfUU0q4CnRNCYlDyrtHd', 'SnnOSX4C5yNuWQHwTdIZ', 'olEu41P99Z'
Source: jXtV6KO1A7.exe, r19Igje33fQNCUvBAux.cs	High entropy of concatenated method names: 'eMqBe1dbgZ', 'k46BBnlJbk', 'VjSBmZYr0L', 'rIgYE94kKfQrlDnNqRJu', 'K6qtLU4kWYfSejko08NX', 'rOuYLJ4k4fLOS2xPU6LT', 'ygvBbIjy8h', 'pGK0wm4kB5gU7fmIRZPR', 'YV8R8i4kmK0INmuyfJpq', 'Sq6eZq4k7YQFaARqBKlY'
Source: jXtV6KO1A7.exe, pshnry2AJlYmMqYJ1Ja.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'T4u2GNnPyf', 'nfw4FTvqWhX', 'm2otR24padHlYSk1ggFx', 'zVg9SW4pw9R7BFsDYL02', 'D2BIBB4puVTl10LnVHUu', 'KvYFux4pvURrPxo5BKPh', 'F8KMqA4pr9pSih4K1NrS'
Source: jXtV6KO1A7.exe, K7lEOTkq5rXL5pCfso5.cs	High entropy of concatenated method names: 'JenkiQaPNo', 'XY9kVWRD6T', 'W34kyWIUcM', 'LQ6k3MACsa', 'C0AkdEJdvd', 'Ru3YA14yuMTSfj96apN6', 'xp4XdF4yadHle8l9FxAb', 'EEeVlT4yvbT1C8vBUUZO', 'aSgJWm4yHYZf1ZPAKfo6', 'wZZiJR4ywTSjkvnXDjID'
Source: jXtV6KO1A7.exe, s8PdcCjRKMLjTbqotB4.cs	High entropy of concatenated method names: 'method_0', 'rQDj93Nc8c', 'uvbjOrm18s', 'Dq2j0PnKX6', 'X0Ejf8HHhV', 'XFrjCfpnWf', 'huHj8eN366', 'x1QFNq4QWsGTRLgCfJn7', 'E5M1Te4qUw3YZLNDdtSG', 'wXt9KL4qziFOqSEGAFPH'
Source: jXtV6KO1A7.exe, uShhk0AHykXAiGEgawA.cs	High entropy of concatenated method names: 'WCMAaEJa8S', 'CMTAhZeUe1', 'mVPA6ZprVq', 'XiJA1cffGi', 'ic9AnJMvv6', 'cGQADvSDJW', 'yNHA5Ujken', 'JjJAjljNVR', 'Dispose', 'qC9k1j4xNFYZZDprvINt'
Source: jXtV6KO1A7.exe, BHendbFQscU71n5XNnN.cs	High entropy of concatenated method names: 'vlLFAsIoWi', 'C0VSsp4OUdNN0W9kMkBJ', 'iotj4T4OGsLZFEmWhDgZ', 'xQccMd4OEF8hdGnjjEu4', 'KJH8Dx4OziO0fDs4PlpI', 'sEi4a140Wrf904K3k9F6', 'P9X', 'vmethod_0', 'Mbf4BsyLJVe', 'imethod_0'
Source: jXtV6KO1A7.exe, UxgpFwKm3IfbiuoGPXT.cs	High entropy of concatenated method names: 'p3VKYlkUbu', 'SPbKFHNpVe', 'r1PKobEUEY', 'm1KKcXqJui', 'UtJMC74Sws508ugqt8xG', 'lRSFb54SLx0o5pJwrdeO', 'IoliDr4SH9Zk22Wq52tv', 'FFsVfc4SuJ8yIqdZN1sx', 'YNimbM4SaMsFNXoNQUMu', 'Tap36g4SvKUehViut4PO'
Source: jXtV6KO1A7.exe, sOr13TndyiIdJ5TfKJ9.cs	High entropy of concatenated method names: 'CPenXhPB9p', 'e6bnZ0RR8R', 'n8rnA3X0QQ', 'bCenxur5Fo', 'YdBnGSAwpd', 'YeNfPp4NPpqn1j6b6tiJ', 'uBcqTT4NsusAF010pCJu', 'dRAxXC4NSfJ84j9u8M7n', 'zUpABR4NkRxG6gZPun3G', 'ULPPDZ4NRgKrtoRaRH1J'
Source: jXtV6KO1A7.exe, GDk0A3M0qgjbm9v73X8.cs	High entropy of concatenated method names: 'xtMax34ZgqKji4HRtybk', 'DC5pyv4ZhjsjkJRbs90V', 'UcN7JI4Z294m1mOGZmKd', 'zCpZyU4ZaRgOAOjR8C1F', 'hjvSuX4Zvd92n5bukmXc', 'V1uhf04Zr3p4KG8pxLQE', 'Gp6Yhm4ZwZghxklki8mf', 'AwYTxw4ZuPvBCo0mCBSj'
Source: jXtV6KO1A7.exe, z1nx5MEIPMX0iKPwoiJ.cs	High entropy of concatenated method names: 'OY447lue30C', 'm52479BqOAM', 'tiM47OLwvpm', 'NEG470RZGBV', 'OVO47figMKO', 'VY147CZ141s', 'Oag478Mvyom', 'hLbUmajfki', 'O7C47IApGXM', 'Hxv47MEXHD1'
Source: jXtV6KO1A7.exe, ecAndcmNsb8N9C7T3pt.cs	High entropy of concatenated method names: 'hRfmyiWLIk', 'kDwjbc4RAyRsYRbadNOU', 'JajhTU4RX6v2YwpkTrdk', 'nLa8Ku4RZJuTKY8dagdG', 'nP8uOB4Rx816YpHtqAfQ', 'IYoGw84RGeLJGv2OR5K6', 'U1J', 'P9X', 'Eoi4Baey3a9', 'WpA4Bvm9XN8'
Source: jXtV6KO1A7.exe, Vln0LAmapLMiI2Zt59i.cs	High entropy of concatenated method names: 'bbDmsjadP8', 't4imSsdyHi', 'TJimPphApW', 'aC4P134RR0mZw4gm5lPD', 'KPhPrg4RP2Y2nfZm7Tyf', 'dUIVVo4RkYhZnk8KGq5T', 'e1gMyX4Rl3u8OmRiv4ms', 'vrGmnhYH6D', 'f7kmDWQ99L', 'kgaQFU4Rj3hNf40LViDP'
Source: jXtV6KO1A7.exe, MH1a5v4wTEhLbfqHMSD.cs	High entropy of concatenated method names: 'k294alZVhw', 'Dkw4v9c5Vc', 'YTt4rjNFrc', 'lGDEKr4sgtlmjBmIqjXb', 'iBrrlB4shRC9YVHGn2xy', 'Mx7aEM4s2CMYfFNO0ZaY', 'b8HsJA4s6BEcr3vITZsS', 'BdeWXL4s1IbT68IxF1ko'
Source: jXtV6KO1A7.exe, hQ5Vfa4UkhiCGFkp8Wh.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'qjt4F4EgSfx', 'o5v4B4peqhS', 'CQnyDV4SWnOpb5a5sVyN', 'pjtlRJ4S4sVlJOhNwxdy', 'Dx47Gv4SKLyU0ohp61WB', 'FBaJCB4SeP9T7uVaTH75'
Source: jXtV6KO1A7.exe, BgPJVWhXxxCCvckYgoc.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'y9i4FHI5PCQ', 'JIl4BQk4GJv', 'M1ZsyV4MFSrtpLtM5F5q', 'Ritray4MoIaWwIZWfwYd', 'QQ8NtL4McQwFfObDvQRS', 'My4C9H4MbpserHwJUd9w', 'o0R14B4MLdOCU5eFJIOk'
Source: jXtV6KO1A7.exe, eu4veQSQYKFpVxad5UP.cs	High entropy of concatenated method names: 'uONSV2lKAl', 'oaWSyEWhuk', 'PrhS3g3yj4', 'ruZjiL4ihQFBsfPmKnFU', 'HGq0Uo4irtV5v0imwl4u', 'Q8dLVK4iTLGQ5Y3Xbxkt', 'YSlv5c4i2xo0em3IIgMm', 'x3YNH34igYNjM2Tna77m', 'Wcvda44i68nEaV4Jpi6u'
Source: jXtV6KO1A7.exe, OrS90XF61pkxJbU3RQs.cs	High entropy of concatenated method names: 'gbBFnmgduh', 'OoI9vb4O5QvNkUyYrv29', 'QD8aMQ4OjY8bp93sqmpk', 'K4Ydi84OssImj37yXQX9', 'aNubCP4OSrGh1iSujCN6', 'Ulvf6v4OPdvcmooKvBU3', 'PDWkAI4OnDBhs7OPGCX7', 'PClO8N4ODq9JMeraT4Wd', 'C1EqTV4OkiwmtNEEUEKE'
Source: jXtV6KO1A7.exe, rVdLQ9ubiOt1BGCb2bH.cs	High entropy of concatenated method names: 'Dispose', 'C5TuHQAsk5', 'FHPuw5Yw0M', 'Duluu8DjE7', 'wL5uD44Cp0NZ4ggBVHkb', 'd5Np6j4CJwOeZyWe8r9D', 'pj7RaR4CNLintGeUuAmN', 'IE0VRf4CqDX7DNlJjaVE', 'TbHRLK4CQ6qZq84NMZmu', 'VwhPlw4CiFFp3sYd2vVe'
Source: jXtV6KO1A7.exe, A8bVaYKRdqscTirTMOw.cs	High entropy of concatenated method names: 'XOOKpExr1N', 'eOtKJjV1Wi', 'ld4lBT4Sf8aDw2da627I', 'ldRDvK4SCix7UgCjhdcT', 'J1Qc8k4S8UCYQgqZLDWs', 'nJjKi39fZp', 'bP6RrN4SJtGe6ok9h5dX', 'S4ESyw4SM5DVmmXyoJfo', 'iHqjH84SpxB1BpuyHQBx', 'YLeK9i2bYw'
Source: jXtV6KO1A7.exe, QOZEIoYpjlwX7WbrDO1.cs	High entropy of concatenated method names: 'NliYALENRU', 'Hb8YxUAw8S', 'p53XJZ49A7DnXWWOiFpp', 'iqXObw49X8kUqO8QW06K', 'TF5Z8549Zc0QSCNuHvSY', 'wrxOKJ49x78e2eXGccLw', 'Im9YNXTjau', 'l3nYqGlI3N', 'oN2YQnyJRq', 'IGGYixYM8S'
Source: jXtV6KO1A7.exe, fWvR5H7pKAOOpI4lhh4.cs	High entropy of concatenated method names: 'Crv7AHaOfP', 'wFb7x9M7cQ', 'H2K7GSHlhV', 'SPPFOP4ldj56bvHjZrJQ', 'Im3OWu4ltYs8PEErxCVc', 'Fk5vYk4lyK8MuQLJkSGk', 'rrRa1R4l3ywLfucVIiBK', 'pb07NBWnNY', 'DN07q4nJq4', 'rR67QVlnIc'
Source: jXtV6KO1A7.exe, y9FrVeFcu7JX2YlKeRe.cs	High entropy of concatenated method names: 'XreFLc64yP', 'f7aFH6cPOy', 'Hp0FwTXp1a', 'IGvTQT4OFg1NLXcKjtMM', 'Fw86244O7bvMFt3TfWkM', 'ww4rrV4OYVlHsA7a5eSj', 'yp7R0Q4Oot3K9c1PvxHr', 'NMfhBJ4OcbRGtBsalaSi', 'TL9OeN4Obi5INbjxKdwi', 'luZqOU4OLdycJ91g0voa'
Source: jXtV6KO1A7.exe, O7sonW5nGCkcgv4rx3P.cs	High entropy of concatenated method names: 'amJ55HSxfP', 'Qek5jUsCyq', 'L8x5s0SlEL', 'Vak5S3OSos', 'dA75PykEfd', 'GURpfH4qjNSin8Ijnmdp', 'tWCg5U4qsSCqnXHAYpSc', 'PgjSFv4qSct27rfsHkVq', 'br5Kyg4qPGS2BHDnDGrq', 'e6rcUu4qk0kdC0eEXeIm'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Drops PE files

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PqilTgDk.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LAruMjCr.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\sefxVWpg.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\sQKOYFFi.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\taSXmSLk.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\bXOSCjJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ptzhOIen.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\FUwWbQoJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\ESXfsmJN.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\mHjHeUgp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\iQFjSUoF.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LIbMrSdw.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fcnjtBSI.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\AZuFUlyQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\WxtkghQV.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UZaSZUPd.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\QjjbSXPj.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zXVOlHTT.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\GSXexQDE.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\UvHCLyMa.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\FPynOmYI.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\upByWoUh.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\DSJnFhkO.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\pwmQgNor.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fNEJJgKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UrhkoqJf.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ugRfrFtb.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\utbPtwXc.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\BifwrcrL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\cXcKpojQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\jFwZJlcu.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\IFbmiezC.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\WcMBvDTY.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\rqbpkIti.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\AUxWHHiO.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\gXpAgXCG.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\wetnNFIW.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\OCediSHm.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\lyyPHcot.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\PvfTgKTl.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\bsvBnNGP.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PySDyPdp.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\jBWHmcZz.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\nrNytZZs.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zxAgkPgS.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\eDwAwSEJ.log	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\IFbmiezC.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ptzhOIen.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\WcMBvDTY.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\FUwWbQoJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ugRfrFtb.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\lyyPHcot.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UrhkoqJf.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\AZuFUlyQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\rqbpkIti.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\PvfTgKTl.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\taSXmSLk.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\nrNytZZs.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fNEJJgKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UZaSZUPd.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\DSJnFhkO.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\upByWoUh.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\sefxVWpg.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\jBWHmcZz.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\bXOSCjJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\QjjbSXPj.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\GSXexQDE.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\wetnNFIW.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fcnjtBSI.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\sQKOYFFi.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\pwmQgNor.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\eDwAwSEJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\ESXfsmJN.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\cXcKpojQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zXVOlHTT.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\iQFjSUoF.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PySDyPdp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\FPynOmYI.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LIbMrSdw.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\AUxWHHiO.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PqilTgDk.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\gXpAgXCG.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LAruMjCr.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\utbPtwXc.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\jFwZJlcu.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\OCediSHm.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\mHjHeUgp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\UvHCLyMa.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\BifwrcrL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\bsvBnNGP.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zxAgkPgS.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\WxtkghQV.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1B730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1ABC0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: FF0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1B000000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1B3A0000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: 1AF80000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: AD0000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: 1A5F0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1AEF0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 19C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1B370000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: DE0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2809	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1287	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1357	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1295
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1361
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1353
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1726
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1417
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1277
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1466
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2299
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1274
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1604
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 969
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 970

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\upByWoUh.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DSJnFhkO.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PqilTgDk.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UrhkoqJf.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LAruMjCr.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ugRfrFtb.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pwmQgNor.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\utbPtwXc.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sefxVWpg.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fNEJJgKL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BifwrcrL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sQKOYFFi.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\taSXmSLk.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cXcKpojQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jFwZJlcu.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IFbmiezC.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bXOSCjJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WcMBvDTY.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AUxWHHiO.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rqbpkIti.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ptzhOIen.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gXpAgXCG.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FUwWbQoJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wetnNFIW.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ESXfsmJN.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mHjHeUgp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OCediSHm.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iQFjSUoF.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LIbMrSdw.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lyyPHcot.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PvfTgKTl.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fcnjtBSI.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AZuFUlyQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bsvBnNGP.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PySDyPdp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WxtkghQV.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UZaSZUPd.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QjjbSXPj.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jBWHmcZz.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nrNytZZs.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zxAgkPgS.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zXVOlHTT.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GSXexQDE.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eDwAwSEJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UvHCLyMa.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FPynOmYI.log	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep count: 2809 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep count: 1287 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep count: 1357 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8256	Thread sleep count: 1295 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 6016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8260	Thread sleep count: 1388 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356	Thread sleep count: 1361 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 1353 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep count: 1726 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344	Thread sleep count: 1417 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8420	Thread sleep count: 1318 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8688	Thread sleep count: 1277 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708	Thread sleep count: 1466 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8684	Thread sleep count: 2299 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8704	Thread sleep count: 1274 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8712	Thread sleep count: 1604 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8656	Thread sleep count: 969 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8744	Thread sleep count: 1646 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8676	Thread sleep count: 970 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9148	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe TID: 9972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe TID: 9144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe TID: 7236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe TID: 10180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe TID: 8864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe TID: 8836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 9028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 9920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe TID: 10004	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process token adjusted: Debug
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Process token adjusted: Debug
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFD2.tmp" "c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Users\user\Desktop\jXtV6KO1A7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Users\user\Desktop\jXtV6KO1A7.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Users\user\Desktop\jXtV6KO1A7.exe VolumeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Queries volume information: C:\Program Files\Common Files\System\ado\en-US\Registry.exe VolumeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Queries volume information: C:\Program Files\Common Files\System\ado\en-US\Registry.exe VolumeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe VolumeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe VolumeInformation

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 8828, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1634670722.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 8828, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1634670722.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jXtV6KO1A7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	ReversingLabs: Detection: 71%
Source: C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\Desktop\DSJnFhkO.log	Virustotal: Detection: 19%	Perma Link
Source: C:\Users\user\Desktop\FUwWbQoJ.log	ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\FUwWbQoJ.log	Virustotal: Detection: 30%	Perma Link
Source: C:\Users\user\Desktop\LAruMjCr.log	ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\LAruMjCr.log	Virustotal: Detection: 30%	Perma Link
Source: C:\Users\user\Desktop\LIbMrSdw.log	Virustotal: Detection: 7%	Perma Link
Source: C:\Users\user\Desktop\PqilTgDk.log	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Source: jXtV6KO1A7.exe	ReversingLabs: Detection: 71%
Source: jXtV6KO1A7.exe	Virustotal: Detection: 73%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jXtV6KO1A7.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Unpacked PE file: 0.2.jXtV6KO1A7.exe.3520000.8.unpack

Uses 32bit PE files

Source: jXtV6KO1A7.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\ee2ad38f3d4382	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\9e8d7a4ca61bd9	Jump to behavior

Source: jXtV6KO1A7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.pdb source: jXtV6KO1A7.exe, 00000000.00000002.1834254846.0000000003E86000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49736 -> 104.21.20.157:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000016.00000002.2159012209.0000022A3BEE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD83FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.00000243308B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304F077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209264D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004695000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C2BC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: jXtV6KO1A7.exe, 00000000.00000002.1834254846.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2159012209.0000022A3BCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD80C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.0000024330691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304EE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209262D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C29A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200001000.00000004.00000800.00020000.00000000.sdmp, hYMmOtYRdhDhf.exe, 00000047.00000002.1936550000.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.2159012209.0000022A3BEE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD83FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663D06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.00000243308B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304F077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209264D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004695000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C2BC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000016.00000002.2159012209.0000022A3BCC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2071924859.0000022CE0BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2077647194.000001AAD80C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2032142365.0000011880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2077811589.0000022663AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2078823317.0000024330691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2081419960.000001304EE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2175269170.000001ABD2051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2080969052.00000209262D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2078108765.0000022004471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2001207752.0000022E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2033089276.000001D180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2035261064.00000216B4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2077744353.0000020A5A631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2032903250.0000014C65251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1992948818.00000201C29A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2081491659.000001CB5D321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1952279119.000002B200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000038.00000002.1952279119.000002B200225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester

Creates files inside the system directory

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\23fc0d88861170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP

Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 72_2_00007FFD9B890D48	72_2_00007FFD9B890D48
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 72_2_00007FFD9B890E43	72_2_00007FFD9B890E43
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 80_2_00007FFD9B880D48	80_2_00007FFD9B880D48
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Code function: 80_2_00007FFD9B880E43	80_2_00007FFD9B880E43
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A107C	81_2_00007FFD9B8A107C
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A0000	81_2_00007FFD9B8A0000
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A0ED1	81_2_00007FFD9B8A0ED1
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A01FA	81_2_00007FFD9B8A01FA
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A01D3	81_2_00007FFD9B8A01D3
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B890D48	81_2_00007FFD9B890D48
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B890E43	81_2_00007FFD9B890E43
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A15CB	81_2_00007FFD9B8A15CB

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\AUxWHHiO.log A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\AZuFUlyQ.log 873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C

Sample file is different than original file name gathered from version info

Source: jXtV6KO1A7.exe, 00000000.00000000.1635044803.0000000001306000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs jXtV6KO1A7.exe

Uses 32bit PE files

Source: jXtV6KO1A7.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@84/148@0/0

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File created: C:\Users\user\Desktop\taSXmSLk.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Mutant created: NULL
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-MhLmxgcY3RcYqiSTprPX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8508:120:WilError_03

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File created: C:\Users\user\AppData\Local\Temp\hoedt554

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"

Source: jXtV6KO1A7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jXtV6KO1A7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jXtV6KO1A7.exe	ReversingLabs: Detection: 71%
Source: jXtV6KO1A7.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

File read: C:\Users\user\Desktop\jXtV6KO1A7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jXtV6KO1A7.exe "C:\Users\user\Desktop\jXtV6KO1A7.exe"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFD2.tmp" "c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: unknown	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: unknown	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\jXtV6KO1A7.exe C:\Users\user\Desktop\jXtV6KO1A7.exe
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\jXtV6KO1A7.exe C:\Users\user\Desktop\jXtV6KO1A7.exe
Source: unknown	Process created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe "C:\Program Files\Common Files\System\ado\en-US\Registry.exe"
Source: unknown	Process created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe "C:\Program Files\Common Files\System\ado\en-US\Registry.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe "C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe"
Source: unknown	Process created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe "C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe
Source: unknown	Process created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe "C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFD2.tmp" "c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: mscoree.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Common Files\System\ado\en-US\ee2ad38f3d4382	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\9e8d7a4ca61bd9	Jump to behavior

Source: jXtV6KO1A7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jXtV6KO1A7.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: jXtV6KO1A7.exe

Static file information: File size 3682816 > 1048576

Source: jXtV6KO1A7.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x382a00

Source: jXtV6KO1A7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.pdb source: jXtV6KO1A7.exe, 00000000.00000002.1834254846.0000000003E86000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Unpacked PE file: 0.2.jXtV6KO1A7.exe.3520000.8.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A92D8 push esi; retf	81_2_00007FFD9B8A92D9
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A9ADA push eax; ret	81_2_00007FFD9B8A9ADF
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Code function: 81_2_00007FFD9B8A01D3 push FFFFFFE8h; ret	81_2_00007FFD9B8A01F9

Source: jXtV6KO1A7.exe, v9wlNN90KHNePaOdLWf.cs	High entropy of concatenated method names: 'Close', 'qL6', 'Jtg9CRy9mV', 'IHr9878dOC', 'vBG9IilKa8', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: jXtV6KO1A7.exe, Sof8BSxrWYXaV5JrfcE.cs	High entropy of concatenated method names: 'VxgYUg4G8xSyplGHp69I', 'ELKFkG4GICPqj8UHlFJ5', 'XTkGXpmned', 'mxypjo4GNjYyyPe57iGf', 'bh3CnM4Gq6Cw6fo6bV6m', 'dVX5Zf4GQH7axc6cI5gH', 'REDSpn4GiIB0FBkRGdf7', 'QNWpab4GVav74Q7O1h2P', 'mr20iO4GyvBIvxiRKIXm', 'dMaOid4G3R19eCMmxrgf'
Source: jXtV6KO1A7.exe, TJI8QMETuBbK7WvNDqh.cs	High entropy of concatenated method names: 'iSGEP3OoDQ', 'EkEEkJgoN5', 'ow4ERgkK4Q', 'TxfElGMHmR', 'oMNE94iTGD', 'gjjEOMdxjv', 'GxCE0TKFlm', 'ApSEfE5gId', 'qWmEC9a3qB', 'iARE8n31Ki'
Source: jXtV6KO1A7.exe, NIwBwAjbtQo4VncamWM.cs	High entropy of concatenated method names: 'W5ojHHOmBR', 'aHXjwQAEOi', 'udYjug2UsZ', 'CZnjak8evd', 'hx2jv4Pif6', 'VLeBCh4q3RHN2FqjsE9T', 'UoGw5R4qVWyCkpaoaFUC', 'XvfMhW4qyGWgoIa1LaC8', 'YNsmuL4qdP3tntZKOWPc', 'N4yQuo4qtQB5EAwZmt3X'
Source: jXtV6KO1A7.exe, kK23xlrR3usDBoqg1v.cs	High entropy of concatenated method names: 'oyvONlAk8', 'fScOPI4j9RrQF45C4IhS', 'whFyi54jO4MrS8bnuAYl', 'BAkrTq4jR5HHPIso6PrZ', 'Twxwq94jllLPr5UjGQVo', 'FwfhwRoLX', 'rgU2B2pDn', 'UgsgRFUeC', 'HGB6PMpdK', 'UW21udg3A'
Source: jXtV6KO1A7.exe, tUY1UR4X5CI5ZGd5aXp.cs	High entropy of concatenated method names: 'P9X', 'iKw4AZSQFT', 'ETC4FWM0dMv', 'imethod_0', 'Piq4xKWOAY', 'XOXx4Q4sABueJ0dJD7oj', 'hJFm4Q4sxR6e2cfEkbwI', 'eR7B514sXSJf4M9pDJud', 'g5ucxi4sZYJywks1Uyaj', 'nsRASQ4sGr9HIXNLZOeJ'
Source: jXtV6KO1A7.exe, bBMmLcxWbZnJbGZ2scE.cs	High entropy of concatenated method names: 'LNYxB9tPlT', 'UMoxmHO5Zp', 'tlnqth4GT58i3br3M6dX', 'I4TLln4GhfRn1uW7Jmnv', 'UBLn3h4GvCFqGL530R98', 'GVIoit4GrRdZJunCwcYG', 'ogqPUi4G2Z3rW3MUiap6', 'll9xml4GgileFWtnU9qc', 'OHgxKX6VlK', 'SBgLq14GHgapSB8xf6GH'
Source: jXtV6KO1A7.exe, JvThxUPHhs3fRiKhErn.cs	High entropy of concatenated method names: 'psiPu8RGjC', 'HnqARB4i3mEq9XlRiiJu', 'EM7MK24iVBKN6wwDBabB', 'nOv05r4iyIC20j16dc61', 'w3Ter14idoHx0aZOW6VF', 'dvhYKb4it834Ab2X0sEg', 'v9kefv4iXd0LXh6xEVgn'
Source: jXtV6KO1A7.exe, c6b4k4ZlhXdc3Re7pCp.cs	High entropy of concatenated method names: 'vw2ZO666ba', 'YEJZ0SsbU7', 'NdWZfuaox8', 'cx5ZCru093', 'STGZ8SLdon', 'KcFZIEmhCD', 'kg2ZMC1lbe', 'FgmZpYGcq0', 'o8qZJUlWgd', 'BUyZNJGnth'
Source: jXtV6KO1A7.exe, TRFNR4ARNGBxQwYlgx3.cs	High entropy of concatenated method names: 'WjqA9nMFTe', 'COXAOvl7ZX', 'ePZA0lDBIg', 'RatAf0RxZk', 'Dispose', 'Ex51Mo4xX5rClsAUE0Oa', 'BM06VB4xdIM8Vn9y4SbK', 'tkTtoH4xtBEMqc2wATgF', 'Pcpdm84xZ16f9m9PsJ93', 'oY1KLE4xANnrC9ODUQKF'
Source: jXtV6KO1A7.exe, NAxTBWBIXyo4Iv3CN0u.cs	High entropy of concatenated method names: 'qUqBEoufMc', 'SAa0CI4RW8qeD3NjH0yQ', 'SGhs2R4kU9qqwK1XFIR0', 'u3yaNb4kzVH7oCteiyBq', 'SaBX9p4RBBdILIMwMjp8', 'ii0ZEi4RKnX5MfthHpEU', 'd06kd74ReRx5l3AaRVax', 'BrnTfM4RmEls8RqNvpoW', 'n45m7y4XKg', 'BUB70W4RY2t8vybZdM8i'
Source: jXtV6KO1A7.exe, ommZBKmoOBW8PT05Qmr.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'Tgu4FmmNWEd', 'o5v4B4peqhS', 'YsTMNJ4RLHfdNQV6eQf9', 'MctBfh4RH8Ibtcyjrkln', 'W3OMUS4RwkOnBuqPIv1J', 'MIsaML4RugDqL8EIH4ic'
Source: jXtV6KO1A7.exe, LRQw5DNVb473yjASxt.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'hGcQ8Xavh'
Source: jXtV6KO1A7.exe, bhwMZIFvakuS1yo68DP.cs	High entropy of concatenated method names: 'xuVF2RhHV4', 'PSpQR74OgZiALinTUjlU', 'tFs1te4OhaqjZiB0bFZ7', 'zrW2Jt4O2IoLr1gqWlYP', 'Jvo84c4O6LYKJYk4rph5', 'UvSFTAv6Rs', 'LPNqGo4Ov5Jk2Ytw4EDG', 'xOsoj94OrV0RejL92Grc', 'jb5CXj4OuELLyuT9XMLQ', 'tCoZGU4OaNxRkFdGycd3'
Source: jXtV6KO1A7.exe, Udqfpvgb62G1CMERL8R.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'cMa4F6WBNIu', 'Yiu4F1yrwxj', 'maExBT4p9giZrnYk8BAP', 'Ijw3WV4pOaUCVYhNXocZ', 'GJNOQ34p0s2o4KmX5Aum', 'gMXN2p4pfODjTN8evGqi', 'swti414pCGNY96hbWh8q'
Source: jXtV6KO1A7.exe, pAwyNvownuXjJDejYG4.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'sKB0yj40nkGDqSF1f9F3', 'tylcjs40DXce5glL2kM8', 'SuaUkP4051ta9dU49cWq', 'iNUS6j40jtPZb8A3383D'
Source: jXtV6KO1A7.exe, GwcZdU8qZX1tnulCMqE.cs	High entropy of concatenated method names: 'FxF4FDhQU19', 'xZ78il53jF', 'MNr8VPSMRE', 'x1a8y7CR0K', 'NiWjIT4t3paxyNUEjbOD', 'b7igrp4tdp98WncjA4RW', 'yIOla34ttjby0W31Vrxa', 'kEMTS64tX2DGpuBaNL8d', 'yA65vq4tZMp5gpm92cFL', 'DZ0BNd4tAp2PfZE5Iv48'
Source: jXtV6KO1A7.exe, EywiCwY4Cfp8WQsGATB.cs	High entropy of concatenated method names: 'JNeYektbKn', 'KQPYBuWuq0', 'zIhYm2GxTH', 'D5wIkB4lxri7lkxWOEec', 'lHFTM64lZc9uufVsZQli', 'tXbsRx4lA8Cn3vrTLMQ3', 'QXrhAe4lG2i9vYxcLw82', 'wVhEbe4lEgLmmrbpqH6s', 'hHCXqW4lUFbHhoqMu8a1', 'klJHrt4lznjP9Q6lMTFR'
Source: jXtV6KO1A7.exe, BujtVCIRZO8fnYp0raR.cs	High entropy of concatenated method names: 'EiwI94M4Si', 'XVdIO145Tn', 'GfZI0YmKc2', 'HgNIffNUgF', 'HZ3ICMwYJO', 'cTlI8tFMcb', 'nT4IIZ6xu5', 'GEhIMvlHci', 'c4pIp3EDHg', 'VUQIJ55iot'
Source: jXtV6KO1A7.exe, EKQIxo7DmryFrW8i7Bv.cs	High entropy of concatenated method names: 'zV77ROIvvn', 'x61SCN4lP0uQa0ENsyId', 'VUgo4j4lsApJVFUc4rBL', 'h9nmFb4lSryxWCiSCQnH', 'zlurlX4lkqSbv0awjhqC', 'E94', 'P9X', 'vmethod_0', 'V2d4B2qGfPb', 'pbb4FoVHJ29'
Source: jXtV6KO1A7.exe, LoowL6g4sYxDT2nlRc8.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'GDL4FhcmMng', 'udx4F25dBVO', 'qm0pu34p2t4NYBttnZ6T', 'cmn4SF4pg2eq7HYNHYRI', 'gkUb1Y4p6bH4aMJcP6uZ', 'BPOPfM4p1Kd6DXTT7LK2', 'zONWlv4pnWWXnt9YgPSf', 'rPwmjA4pDeaKtSAE2fY7'
Source: jXtV6KO1A7.exe, qhAnr0ncigOj0aqEsm3.cs	High entropy of concatenated method names: 'F3inR6PMkU', 'MYHnLbVlnW', 'nhQnHrLqig', 'qH4nwUhfs3', 'MpinukpJmc', 'TjIna5HUJj', 'phwnvQVG1Q', 'r5jnrJ50BZ', 'XBZnTxBJSf', 'DhEnhiYoXp'
Source: jXtV6KO1A7.exe, HAo0TaYoI7Ajb3yAUkD.cs	High entropy of concatenated method names: 'OBKYbSBCrc', 'xDcYLoTZh0', 'uBGDET49BvWmIhiP6viD', 'ACLlwt49KxYX6iYam1Ls', 'tc8HyC49eqCHysUktLDv', 'HCXOGC49mVyfiuU5WgJs', 't8POIp497nAQjQBaum9U', 'eMCA4Q49YJSybK6tbvrd', 'E25di249FJJ4Au1YjNKV', 'meQjno49oEUVoDwlQHJm'
Source: jXtV6KO1A7.exe, kQh1BAXCBCVc4TCn6Gb.cs	High entropy of concatenated method names: 'Xl04FjFCfSc', 'r3B475T8yIa', 'B7DnO24AI220Mq6Ut4lZ', 'caTIKn4AMdQunONH8Iuu', 'SHqbXr4Ap1US5O9fk46a', 'sSKtRc4AQYtsQs32Vj5m', 'M5wie54ANUSoSY12PRaj', 'rb27ql4AqIEI92djM5yU', 'UE8yNm4Aid3Us6Ra4N96', 'imethod_0'
Source: jXtV6KO1A7.exe, p6JESIK3YZ4Ji9ESCrT.cs	High entropy of concatenated method names: 'orneYj5gMm', 'CTkeDE4SGgtpNh7kBwTc', 'WyLJQy4SEHDa6CVDRxYu', 'wXjBUQ4SUSXcCNCEf5rf', 'NnEpTY4SACfBAxMPlo2d', 'HFJKlx4Sx18V1WNxyAYy', 'QNQfq44SzX98KXS9ZWZI', 'CJHZCZ4PWWBM6jy4gnJI', 'Nl0eWLabeO', 'MLCeKylU9K'
Source: jXtV6KO1A7.exe, m21GGnFskqjvOrpg8Xj.cs	High entropy of concatenated method names: 'SDDFP5IKcw', 'dmsFkQFZSG', 'TgHFRwoCeh', 'lQVFlGFC5v', 'pDZF91ENCP', 'XMvFOulkqO', 't6Bmad4OCeX0Yhk5VJMv', 'RLoxZE4O8IMZ6PD9hAsI', 'OIn9ok4OIPIIxwARQFL9', 'q9b9214OM7egINPDER2d'
Source: jXtV6KO1A7.exe, tDLLuNIxxmig0Ads0he.cs	High entropy of concatenated method names: 'Db6IE1Znlg', 'nplIULpRHH', 'UiiIzgkmr6', 'aQsMWqUDRp', 'oXgM4G1kXp', 'dKmMKR5QSP', 'HAWMeehWp2', 'EWpMBPY52v', 'vBVMmiUVVV', 'WxPM7QO9bp'
Source: jXtV6KO1A7.exe, Ii2mG093oJfe1YZ8GJp.cs	High entropy of concatenated method names: 'AxV9tipjo9', 'k6r', 'ueK', 'QH3', 'BC29XyvNgS', 'Flush', 'uaU9ZxbSmb', 'gbF9AW66Yx', 'Write', 'A0G9x3BwZM'
Source: jXtV6KO1A7.exe, kTPMis6H8ZQ8VsaS3ub.cs	High entropy of concatenated method names: 'c34n4nPQhn', 'J51nhO4NYOUIVjTKBYSi', 'BBFmCN4NmRNRjPGeEy7R', 'BfCiJZ4N7Rcy9vrLgIQn', 'aAf6uxsk7L', 'mLe6as3bx1', 'k3R6vRDhsP', 'ndC6rZAowO', 'PtD6TVftNr', 'gTY6h3P7E5'
Source: jXtV6KO1A7.exe, W4KCGTh89P19TGZeh9p.cs	High entropy of concatenated method names: 'G6shQJ4ePg', 'F4Ohi8q6Pj', 'N78hVUeTvg', 'dA1qX84IUeKD0pY5DPUZ', 'Rgmc5x4IztwUjVup03TE', 'yoeKYY4IGAbnHaaV18N6', 'ePqpsA4IE3qpefsbK7BR', 'FI8hM5qf4h', 'kxmhp6gp4E', 'KTEhJi4ApC'
Source: jXtV6KO1A7.exe, GRFBUSPMPg5jUfxb9C4.cs	High entropy of concatenated method names: 'K5bPJ9iCrm', 'j9QPN7tGH4', 'umRPqAVtAh', 'M2dPQCg0Y1', 'XaCPi3RV9R', 'DsaPVw2I0Z', 'E3ZPy6wq3W', 'rbEP3sh25L', 'tkcPdMTp9K', 'nDnPtDFNB3'
Source: jXtV6KO1A7.exe, V8MJwn8o1Ap0XVwIi8u.cs	High entropy of concatenated method names: 'Rk98D3TBVG', 'Rm8bOn4tCQN2pDr403rs', 'SMA7Ch4t8hZFs0qh3Qe9', 'b6LLcd4t0SuxmtgP4UBr', 'w51DAq4tfmuQdWSBucDN', 'cRfx2r4tIeJv5O11k6xH', 'IPy', 'method_0', 'method_1', 'method_2'
Source: jXtV6KO1A7.exe, PoMnViXRnWFOg9wmKU8.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'pIgX9asNed', 'ihtRBu4AcYVRgBy9L5qo', 'Si5dVN4AbTQCwEa4vJe6', 'oeboNm4ALeSuNa9swp7G', 'TMeoOQ4AHWIqnMESs3Ha', 'Oe1Rru4AwFZKJXAByvKa', 'zfkJeb4Au96pNCSrMY9b'
Source: jXtV6KO1A7.exe, ui4hJiYfH1DXNCKCTsy.cs	High entropy of concatenated method names: 'P9X', 'vmethod_0', 'vbk4BnEbaEW', 'WyK4Fb5dhyg', 'imethod_0', 'atU7dG49Nts0o80LtPEn', 'drRufu49qmSQDl5QI3lh', 'vcQgh749puMJgBZouwCb', 'PuuNqa49JXMAvZGxjD5V', 'IMtnHq49QAYnox6bxfac'
Source: jXtV6KO1A7.exe, oa7W1ARFkEQLP7BMZt0.cs	High entropy of concatenated method names: 'uriRccJHoT', 'dpsRbni9DK', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'RoIRLlBto8', 'method_2', 'uc7'
Source: jXtV6KO1A7.exe, MNu3nMSUqOjb7pB8AbH.cs	High entropy of concatenated method names: 'n0tPW0gVen', 'CVQP4fbSUL', 'fbXPKTs1Hr', 'nLdPeQMxjS', 'ymwPBgjGQ3', 'CBmPmhn7dv', 'o8XhVT4ilZmAPU0XfHlO', 'rJJrcn4i9mtQadQIltFS', 'vSvdts4iOWCmJsAKoMHH', 'd4vj0A4i0CEZSu8WTbbO'
Source: jXtV6KO1A7.exe, wa99r4gap7den2RhLSO.cs	High entropy of concatenated method names: 'xEQoPW4pEkWU10MeL6vj', 'G6wWiU4pUJ4P3gwqaAD1', 'ffsh6c4pz4t9k7vC30t2', 'qLqEd04pxVtVuQRPmqDg', 'F4VFKH4pGZWPXyBTlpuY', 'method_0', 'method_1', 'gLQgrr9YLS', 'IXGgTDiIKw', 'kwaghWuhZJ'
Source: jXtV6KO1A7.exe, DlTFDEoKTvAkdQ3KDrp.cs	High entropy of concatenated method names: 'IyYoBw7P13', 'crNomeegLs', 'yJlo745QcW', 'q5GoY1tUPd', 'SXeoFcu3ZJ', 'spyoo92Llw', 'ArvocL1nvc', 'X4pob6IFTk', 'o4DoLmEUVj', 'p9IoH0V07T'
Source: jXtV6KO1A7.exe, mUloXAzHfdRtUUdB8Z.cs	High entropy of concatenated method names: 'Cs244bQPtt', 'zIZ4eIG5Fd', 'yow4Bk3Yx6', 'z3V4mMJuBs', 'cLY474V6SG', 'SIa4YjflBN', 'TfO4oGq7jN', 'Qc7ORu4scMENyRyfccll', 'bgkLDZ4sbkmLICibITM0', 'lJPmsa4sLRfInLlhvgdV'
Source: jXtV6KO1A7.exe, YNHWV7O3KQbB4xq3GBG.cs	High entropy of concatenated method names: 'oK6rXN4dP04Fn0T2Qe1I', 'J6IMWb4dsmHZKPs2SKh3', 'UBuFFT4dShHkSFLcHSyy', 'WVjDgi4dkU2K6Dc8uhkR', 'iJeOtf6eoe', 'Mh9', 'method_0', 'AQdOXYqgok', 'DatOZBoD3M', 'GtAOA43hvx'
Source: jXtV6KO1A7.exe, Mankk1B5LrcZ46WD19i.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'AHQ4FewNKbB', 'o5v4B4peqhS', 'sJR7HK4kgw5MedVghJfG', 'rw1tcZ4k67F4hDsk5wlb', 'OL2H3P4k1JJFKQP78lyl'
Source: jXtV6KO1A7.exe, jjItJ85X8YOcEk0yhxV.cs	High entropy of concatenated method names: 'O925AdawF2', 'fjg5xAH1kJ', 'O8V5GEqRdf', 'KbF2uW4qppoylxZCJD5u', 'ejUCUW4qJV5wvjBrFMiV', 'o9GInq4qNAA6gJRS4PQt', 'prD4Wv4qqcSWhObQZkL6', 'jQO0R04qQh8GUp8Y9XnT'
Source: jXtV6KO1A7.exe, fIaqeUYh3gm51yI3aAG.cs	High entropy of concatenated method names: 'pmqYSLW8KI', 'a5soAq49SdcvKbXkn7et', 'XSClYD49jrFPWCPIuExi', 'rTno6h49s6Hc3aLoeZnn', 'Mxof6p49PCHCHXlgSn9c', 'HPMphX49kLrKkQCMTimZ', 'iwmYgeNpeD', 'vVPY6kxl4p', 'F0xY1pnUCH', 'yJvYnsVoUZ'
Source: jXtV6KO1A7.exe, ATHxGwPRr8yW0IJwj23.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: jXtV6KO1A7.exe, Tq90TRseE1rB4YEyQMs.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'sLAsmvjrqr', 'Write', 'OL4s7fx8D0', 'UxrsY0XMkK', 'Flush', 'vl7'
Source: jXtV6KO1A7.exe, MCwhNVkUFVmXpdtRWVZ.cs	High entropy of concatenated method names: 'rA0RWu4dJI', 'E4ER4nlD5L', 'Yd7', 'EPTRKN95Qi', 'S18ReBYT4g', 'fMxRBbgh95', 'QsyRmLaSxp', 'dd1FTG4ynfaI7uP9h04Z', 'wQ0MYH4yDIWLc6mWylIT', 'wqctyW4y5AaZT2vouQrT'
Source: jXtV6KO1A7.exe, zCxYFfDN5wYfVsuZW8E.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'pNiDQdZqG8', 'xmrDiqfRQq', 'Dispose', 'D31', 'wNK'
Source: jXtV6KO1A7.exe, KeW8xnYR0nIIabihyHu.cs	High entropy of concatenated method names: 'kOvY9fUXDv', 'vPOYO4QCRg', 'ohTI2Y49OmHPoZaVpq5q', 'CYIBWY49lQgY353p7fkC', 'm8Vw0j4999Qof9R5qevw', 'QeTgAH490EVTofINpSbw', 'kKrrnO49f4tBoZyWcXud', 'bxS6vs49CavARrwdMkpi', 'FmQyMO498tGUDLxOXdIX', 'bIEgSV49IYu7LRxgVumL'
Source: jXtV6KO1A7.exe, niipRxStpUAbGvpuAX3.cs	High entropy of concatenated method names: 'TiRSZlfBhw', 'sRrSAZfKBm', 'vFjSxiHayR', 'QWCSGtVnYl', 'uJwSE3vqTj', 'xGpRkV4i5kc6iJplRX5s', 'KHDnxH4inhUuAYlAm7Lb', 'rqKxbe4iD7GIVOTlBKYq', 'IvnLhw4ijKB0tyjIOpFV', 'aT8u8P4isaHfqlFr8NHM'
Source: jXtV6KO1A7.exe, u8OWbc8RjKNTH92JiSR.cs	High entropy of concatenated method names: 'Ur589mYgvI', 'Phd8Ob7bTK', 'ci180cRkPx', 'MFq8f6hyTF', 'h0F8CwaPan', 'MsS888M1lR', 'CVN8I1bBv0', 'r018MZiXxE', 'tOd8pge1mb', 'wl48Jyt9xf'
Source: jXtV6KO1A7.exe, TjduHGhSRQ6heJb5VOV.cs	High entropy of concatenated method names: 'jEChfdQYMe', 'keGliv4IdB0mWeN6CXyk', 'PfIllh4IylKehbu0LyhV', 'Xluj2L4I3KDVj7X4nNMA', 'HWkKyO4Itul9XmIqivPW', 'KvIhkXpvbZ', 'sWWhRGxCUo', 'PakhlyhsCx', 'MgnDUv4IqW24KnLJmaY1', 'fRtOai4IQMPiZLXQDWOK'
Source: jXtV6KO1A7.exe, bc4Q1pFmDsebgyLcmlH.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'gn24B5l7Zrj', 'vmethod_0', 'imethod_0', 'bNsubT4OWAjWWWNlEkJJ', 'KL15sm4O485QBwrBVYVS', 'eZf8Kk4OKI3BcbgVGqaH', 'CDSIQR4Oer7IuYkqRw80', 'sYwMVh4OBrllnAx92vKq'
Source: jXtV6KO1A7.exe, cWZfEsejZaBjaOlqp8R.cs	High entropy of concatenated method names: 'tcoeJEPccv', 'EV2eNP7EGI', 'LJXeqwjfw2', 'SJhZ4i4Ppgq2FAapq5ZO', 'rHaTtv4PIFafGZhgsNYY', 'TxtrRF4PMEvQpLyxMfb9', 'tm4eS1o3Rq', 'uHQePFsdCE', 'z5pekHhyO7', 'qFJeRnBDuU'
Source: jXtV6KO1A7.exe, OslYaUspwjD1py7hoSm.cs	High entropy of concatenated method names: 'EF0sEXgtMb', 'FBZszPWpIi', 'yaSsNfkMoV', 'lUhsql9VCf', 'l5fsQFlCy9', 'Dj0siFqW6p', 'm6rsVLEOrh', 'o0Nsyewb0Q', 'WFVs3jludC', 'tD4sdoTwat'
Source: jXtV6KO1A7.exe, oC5qAau11K4oL8jmmQw.cs	High entropy of concatenated method names: 'GLehHo5NbF', 'uDthwicOtA', 'EKbOGK4ISpIDURNNU41u', 'XPckZ54Iji5ea0nt8ETr', 'rOrP6L4IsI3CgQxNBxy0', 'M5XGAy4IPhlcvSHIoNsB', 'sbehh2ZRRx', 'DWuuGI4I9awJVcRJZVwb', 'h5GO6n4IRVMrl2ZGOrVZ', 'M8NeoS4IlWdvHnwu3OjJ'
Source: jXtV6KO1A7.exe, Ae2ONu2wJcrJpIRmd2Y.cs	High entropy of concatenated method names: 'rTB22hExt1', 'yIxdaR4MfFqyEdr0Zmjh', 'Crn3LM4MCXdGGo5ix89V', 'to9GUj4MO3h8wIxwbg1W', 'Iejyin4M0Hg4jlYkFJDd', 'jLM2aVeoU8', 'kwYjiu4MSt7BBxtFxqih', 'xkK5si4MPkjm8UI4yiei', 'fuIXtR4Mk19OlaFTP7lS', 'KyPJYx4MRUXMUEIp02lu'
Source: jXtV6KO1A7.exe, oTCP4ElgVO65XBRYR0w.cs	High entropy of concatenated method names: 'Ww39wdPX1I', 'yOmLEq43vC9FabufuvOX', 'UQdKy943raxEnvemkieH', 'kt5', 'YsFl1BxLDE', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
Source: jXtV6KO1A7.exe, wHPnojmdmDGvQXXDp1N.cs	High entropy of concatenated method names: 'RhgmGSbecn', 'c9MmER53N4', 'bZMmUrF2AS', 'HwYmziPUWy', 'CgZ7W8b3R5', 'f6V74VT0Qn', 'GWs7KXCGxi', 'qwbjAv4l7FlYyHI3DEGa', 'SD5B784lY6jiA1cC6riU', 'p8RLGO4lBc6HdFbj0jBW'
Source: jXtV6KO1A7.exe, BqhQqQonIer9iNSjioU.cs	High entropy of concatenated method names: 'UnLicv4C23GKjUeFboJC', 'aXCZIZ4CTewA45yB0YF3', 'KLOarI4ChMbKKVUxGnBr', 'A6x6N64Cg4p618JIDsGr', 'iy9wUNbCCK', 'SS4uRX4CDncqeOBIIYJp', 'QFkNms4C1XfogfLRiVbJ', 'YfUU0q4CnRNCYlDyrtHd', 'SnnOSX4C5yNuWQHwTdIZ', 'olEu41P99Z'
Source: jXtV6KO1A7.exe, r19Igje33fQNCUvBAux.cs	High entropy of concatenated method names: 'eMqBe1dbgZ', 'k46BBnlJbk', 'VjSBmZYr0L', 'rIgYE94kKfQrlDnNqRJu', 'K6qtLU4kWYfSejko08NX', 'rOuYLJ4k4fLOS2xPU6LT', 'ygvBbIjy8h', 'pGK0wm4kB5gU7fmIRZPR', 'YV8R8i4kmK0INmuyfJpq', 'Sq6eZq4k7YQFaARqBKlY'
Source: jXtV6KO1A7.exe, pshnry2AJlYmMqYJ1Ja.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'T4u2GNnPyf', 'nfw4FTvqWhX', 'm2otR24padHlYSk1ggFx', 'zVg9SW4pw9R7BFsDYL02', 'D2BIBB4puVTl10LnVHUu', 'KvYFux4pvURrPxo5BKPh', 'F8KMqA4pr9pSih4K1NrS'
Source: jXtV6KO1A7.exe, K7lEOTkq5rXL5pCfso5.cs	High entropy of concatenated method names: 'JenkiQaPNo', 'XY9kVWRD6T', 'W34kyWIUcM', 'LQ6k3MACsa', 'C0AkdEJdvd', 'Ru3YA14yuMTSfj96apN6', 'xp4XdF4yadHle8l9FxAb', 'EEeVlT4yvbT1C8vBUUZO', 'aSgJWm4yHYZf1ZPAKfo6', 'wZZiJR4ywTSjkvnXDjID'
Source: jXtV6KO1A7.exe, s8PdcCjRKMLjTbqotB4.cs	High entropy of concatenated method names: 'method_0', 'rQDj93Nc8c', 'uvbjOrm18s', 'Dq2j0PnKX6', 'X0Ejf8HHhV', 'XFrjCfpnWf', 'huHj8eN366', 'x1QFNq4QWsGTRLgCfJn7', 'E5M1Te4qUw3YZLNDdtSG', 'wXt9KL4qziFOqSEGAFPH'
Source: jXtV6KO1A7.exe, uShhk0AHykXAiGEgawA.cs	High entropy of concatenated method names: 'WCMAaEJa8S', 'CMTAhZeUe1', 'mVPA6ZprVq', 'XiJA1cffGi', 'ic9AnJMvv6', 'cGQADvSDJW', 'yNHA5Ujken', 'JjJAjljNVR', 'Dispose', 'qC9k1j4xNFYZZDprvINt'
Source: jXtV6KO1A7.exe, BHendbFQscU71n5XNnN.cs	High entropy of concatenated method names: 'vlLFAsIoWi', 'C0VSsp4OUdNN0W9kMkBJ', 'iotj4T4OGsLZFEmWhDgZ', 'xQccMd4OEF8hdGnjjEu4', 'KJH8Dx4OziO0fDs4PlpI', 'sEi4a140Wrf904K3k9F6', 'P9X', 'vmethod_0', 'Mbf4BsyLJVe', 'imethod_0'
Source: jXtV6KO1A7.exe, UxgpFwKm3IfbiuoGPXT.cs	High entropy of concatenated method names: 'p3VKYlkUbu', 'SPbKFHNpVe', 'r1PKobEUEY', 'm1KKcXqJui', 'UtJMC74Sws508ugqt8xG', 'lRSFb54SLx0o5pJwrdeO', 'IoliDr4SH9Zk22Wq52tv', 'FFsVfc4SuJ8yIqdZN1sx', 'YNimbM4SaMsFNXoNQUMu', 'Tap36g4SvKUehViut4PO'
Source: jXtV6KO1A7.exe, sOr13TndyiIdJ5TfKJ9.cs	High entropy of concatenated method names: 'CPenXhPB9p', 'e6bnZ0RR8R', 'n8rnA3X0QQ', 'bCenxur5Fo', 'YdBnGSAwpd', 'YeNfPp4NPpqn1j6b6tiJ', 'uBcqTT4NsusAF010pCJu', 'dRAxXC4NSfJ84j9u8M7n', 'zUpABR4NkRxG6gZPun3G', 'ULPPDZ4NRgKrtoRaRH1J'
Source: jXtV6KO1A7.exe, GDk0A3M0qgjbm9v73X8.cs	High entropy of concatenated method names: 'xtMax34ZgqKji4HRtybk', 'DC5pyv4ZhjsjkJRbs90V', 'UcN7JI4Z294m1mOGZmKd', 'zCpZyU4ZaRgOAOjR8C1F', 'hjvSuX4Zvd92n5bukmXc', 'V1uhf04Zr3p4KG8pxLQE', 'Gp6Yhm4ZwZghxklki8mf', 'AwYTxw4ZuPvBCo0mCBSj'
Source: jXtV6KO1A7.exe, z1nx5MEIPMX0iKPwoiJ.cs	High entropy of concatenated method names: 'OY447lue30C', 'm52479BqOAM', 'tiM47OLwvpm', 'NEG470RZGBV', 'OVO47figMKO', 'VY147CZ141s', 'Oag478Mvyom', 'hLbUmajfki', 'O7C47IApGXM', 'Hxv47MEXHD1'
Source: jXtV6KO1A7.exe, ecAndcmNsb8N9C7T3pt.cs	High entropy of concatenated method names: 'hRfmyiWLIk', 'kDwjbc4RAyRsYRbadNOU', 'JajhTU4RX6v2YwpkTrdk', 'nLa8Ku4RZJuTKY8dagdG', 'nP8uOB4Rx816YpHtqAfQ', 'IYoGw84RGeLJGv2OR5K6', 'U1J', 'P9X', 'Eoi4Baey3a9', 'WpA4Bvm9XN8'
Source: jXtV6KO1A7.exe, Vln0LAmapLMiI2Zt59i.cs	High entropy of concatenated method names: 'bbDmsjadP8', 't4imSsdyHi', 'TJimPphApW', 'aC4P134RR0mZw4gm5lPD', 'KPhPrg4RP2Y2nfZm7Tyf', 'dUIVVo4RkYhZnk8KGq5T', 'e1gMyX4Rl3u8OmRiv4ms', 'vrGmnhYH6D', 'f7kmDWQ99L', 'kgaQFU4Rj3hNf40LViDP'
Source: jXtV6KO1A7.exe, MH1a5v4wTEhLbfqHMSD.cs	High entropy of concatenated method names: 'k294alZVhw', 'Dkw4v9c5Vc', 'YTt4rjNFrc', 'lGDEKr4sgtlmjBmIqjXb', 'iBrrlB4shRC9YVHGn2xy', 'Mx7aEM4s2CMYfFNO0ZaY', 'b8HsJA4s6BEcr3vITZsS', 'BdeWXL4s1IbT68IxF1ko'
Source: jXtV6KO1A7.exe, hQ5Vfa4UkhiCGFkp8Wh.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'qjt4F4EgSfx', 'o5v4B4peqhS', 'CQnyDV4SWnOpb5a5sVyN', 'pjtlRJ4S4sVlJOhNwxdy', 'Dx47Gv4SKLyU0ohp61WB', 'FBaJCB4SeP9T7uVaTH75'
Source: jXtV6KO1A7.exe, BgPJVWhXxxCCvckYgoc.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'y9i4FHI5PCQ', 'JIl4BQk4GJv', 'M1ZsyV4MFSrtpLtM5F5q', 'Ritray4MoIaWwIZWfwYd', 'QQ8NtL4McQwFfObDvQRS', 'My4C9H4MbpserHwJUd9w', 'o0R14B4MLdOCU5eFJIOk'
Source: jXtV6KO1A7.exe, eu4veQSQYKFpVxad5UP.cs	High entropy of concatenated method names: 'uONSV2lKAl', 'oaWSyEWhuk', 'PrhS3g3yj4', 'ruZjiL4ihQFBsfPmKnFU', 'HGq0Uo4irtV5v0imwl4u', 'Q8dLVK4iTLGQ5Y3Xbxkt', 'YSlv5c4i2xo0em3IIgMm', 'x3YNH34igYNjM2Tna77m', 'Wcvda44i68nEaV4Jpi6u'
Source: jXtV6KO1A7.exe, OrS90XF61pkxJbU3RQs.cs	High entropy of concatenated method names: 'gbBFnmgduh', 'OoI9vb4O5QvNkUyYrv29', 'QD8aMQ4OjY8bp93sqmpk', 'K4Ydi84OssImj37yXQX9', 'aNubCP4OSrGh1iSujCN6', 'Ulvf6v4OPdvcmooKvBU3', 'PDWkAI4OnDBhs7OPGCX7', 'PClO8N4ODq9JMeraT4Wd', 'C1EqTV4OkiwmtNEEUEKE'
Source: jXtV6KO1A7.exe, rVdLQ9ubiOt1BGCb2bH.cs	High entropy of concatenated method names: 'Dispose', 'C5TuHQAsk5', 'FHPuw5Yw0M', 'Duluu8DjE7', 'wL5uD44Cp0NZ4ggBVHkb', 'd5Np6j4CJwOeZyWe8r9D', 'pj7RaR4CNLintGeUuAmN', 'IE0VRf4CqDX7DNlJjaVE', 'TbHRLK4CQ6qZq84NMZmu', 'VwhPlw4CiFFp3sYd2vVe'
Source: jXtV6KO1A7.exe, A8bVaYKRdqscTirTMOw.cs	High entropy of concatenated method names: 'XOOKpExr1N', 'eOtKJjV1Wi', 'ld4lBT4Sf8aDw2da627I', 'ldRDvK4SCix7UgCjhdcT', 'J1Qc8k4S8UCYQgqZLDWs', 'nJjKi39fZp', 'bP6RrN4SJtGe6ok9h5dX', 'S4ESyw4SM5DVmmXyoJfo', 'iHqjH84SpxB1BpuyHQBx', 'YLeK9i2bYw'
Source: jXtV6KO1A7.exe, QOZEIoYpjlwX7WbrDO1.cs	High entropy of concatenated method names: 'NliYALENRU', 'Hb8YxUAw8S', 'p53XJZ49A7DnXWWOiFpp', 'iqXObw49X8kUqO8QW06K', 'TF5Z8549Zc0QSCNuHvSY', 'wrxOKJ49x78e2eXGccLw', 'Im9YNXTjau', 'l3nYqGlI3N', 'oN2YQnyJRq', 'IGGYixYM8S'
Source: jXtV6KO1A7.exe, fWvR5H7pKAOOpI4lhh4.cs	High entropy of concatenated method names: 'Crv7AHaOfP', 'wFb7x9M7cQ', 'H2K7GSHlhV', 'SPPFOP4ldj56bvHjZrJQ', 'Im3OWu4ltYs8PEErxCVc', 'Fk5vYk4lyK8MuQLJkSGk', 'rrRa1R4l3ywLfucVIiBK', 'pb07NBWnNY', 'DN07q4nJq4', 'rR67QVlnIc'
Source: jXtV6KO1A7.exe, y9FrVeFcu7JX2YlKeRe.cs	High entropy of concatenated method names: 'XreFLc64yP', 'f7aFH6cPOy', 'Hp0FwTXp1a', 'IGvTQT4OFg1NLXcKjtMM', 'Fw86244O7bvMFt3TfWkM', 'ww4rrV4OYVlHsA7a5eSj', 'yp7R0Q4Oot3K9c1PvxHr', 'NMfhBJ4OcbRGtBsalaSi', 'TL9OeN4Obi5INbjxKdwi', 'luZqOU4OLdycJ91g0voa'
Source: jXtV6KO1A7.exe, O7sonW5nGCkcgv4rx3P.cs	High entropy of concatenated method names: 'amJ55HSxfP', 'Qek5jUsCyq', 'L8x5s0SlEL', 'Vak5S3OSos', 'dA75PykEfd', 'GURpfH4qjNSin8Ijnmdp', 'tWCg5U4qsSCqnXHAYpSc', 'PgjSFv4qSct27rfsHkVq', 'br5Kyg4qPGS2BHDnDGrq', 'e6rcUu4qk0kdC0eEXeIm'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Drops PE files

Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PqilTgDk.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LAruMjCr.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\sefxVWpg.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\sQKOYFFi.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\taSXmSLk.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\bXOSCjJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ptzhOIen.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\FUwWbQoJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\ESXfsmJN.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\mHjHeUgp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\iQFjSUoF.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LIbMrSdw.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fcnjtBSI.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\AZuFUlyQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\WxtkghQV.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UZaSZUPd.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\QjjbSXPj.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zXVOlHTT.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\GSXexQDE.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\UvHCLyMa.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\FPynOmYI.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\upByWoUh.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\DSJnFhkO.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\pwmQgNor.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fNEJJgKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UrhkoqJf.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ugRfrFtb.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\utbPtwXc.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\BifwrcrL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\cXcKpojQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\jFwZJlcu.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\IFbmiezC.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\WcMBvDTY.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\rqbpkIti.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\AUxWHHiO.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\gXpAgXCG.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\wetnNFIW.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\OCediSHm.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\lyyPHcot.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\PvfTgKTl.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\bsvBnNGP.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PySDyPdp.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\jBWHmcZz.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\nrNytZZs.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zxAgkPgS.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\eDwAwSEJ.log	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\IFbmiezC.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ptzhOIen.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\WcMBvDTY.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\FUwWbQoJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\ugRfrFtb.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\lyyPHcot.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UrhkoqJf.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\AZuFUlyQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\rqbpkIti.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\PvfTgKTl.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\taSXmSLk.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\nrNytZZs.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fNEJJgKL.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\UZaSZUPd.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\DSJnFhkO.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\upByWoUh.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\sefxVWpg.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\jBWHmcZz.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\bXOSCjJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\QjjbSXPj.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\GSXexQDE.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\wetnNFIW.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File created: C:\Users\user\Desktop\fcnjtBSI.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\sQKOYFFi.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\pwmQgNor.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\eDwAwSEJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\ESXfsmJN.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\cXcKpojQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zXVOlHTT.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\iQFjSUoF.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PySDyPdp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\FPynOmYI.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LIbMrSdw.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\AUxWHHiO.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\PqilTgDk.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\gXpAgXCG.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\LAruMjCr.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\utbPtwXc.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\jFwZJlcu.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\OCediSHm.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\mHjHeUgp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\UvHCLyMa.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\BifwrcrL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\bsvBnNGP.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\zxAgkPgS.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File created: C:\Users\user\Desktop\WxtkghQV.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jXtV6KO1A7	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hYMmOtYRdhDhf	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1B730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1ABC0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: FF0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1B000000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Memory allocated: 1B3A0000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: 1AF80000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: AD0000 memory reserve \| memory write watch
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Memory allocated: 1A5F0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1AEF0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 19C0000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1B370000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: DE0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2809	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1287	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1357	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1295
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1361
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1353
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1726
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1417
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1277
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1466
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2299
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1274
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1604
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 969
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 970

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\upByWoUh.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DSJnFhkO.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PqilTgDk.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UrhkoqJf.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LAruMjCr.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ugRfrFtb.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pwmQgNor.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\utbPtwXc.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sefxVWpg.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fNEJJgKL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BifwrcrL.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sQKOYFFi.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\taSXmSLk.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cXcKpojQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jFwZJlcu.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IFbmiezC.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bXOSCjJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WcMBvDTY.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AUxWHHiO.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rqbpkIti.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ptzhOIen.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gXpAgXCG.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FUwWbQoJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wetnNFIW.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ESXfsmJN.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mHjHeUgp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OCediSHm.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iQFjSUoF.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LIbMrSdw.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lyyPHcot.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PvfTgKTl.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fcnjtBSI.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AZuFUlyQ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bsvBnNGP.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PySDyPdp.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WxtkghQV.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UZaSZUPd.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QjjbSXPj.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jBWHmcZz.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nrNytZZs.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zxAgkPgS.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zXVOlHTT.log	Jump to dropped file
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GSXexQDE.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eDwAwSEJ.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UvHCLyMa.log	Jump to dropped file
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FPynOmYI.log	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep count: 2809 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep count: 1287 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep count: 1357 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8256	Thread sleep count: 1295 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 6016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8260	Thread sleep count: 1388 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356	Thread sleep count: 1361 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 1353 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368	Thread sleep count: 1726 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344	Thread sleep count: 1417 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8420	Thread sleep count: 1318 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8688	Thread sleep count: 1277 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708	Thread sleep count: 1466 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8684	Thread sleep count: 2299 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8704	Thread sleep count: 1274 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8712	Thread sleep count: 1604 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8656	Thread sleep count: 969 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8744	Thread sleep count: 1646 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8676	Thread sleep count: 970 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9148	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe TID: 9972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe TID: 9144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe TID: 7236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe TID: 10180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe TID: 8864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe TID: 8836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 9028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe TID: 9920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe TID: 10004	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process token adjusted: Debug
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Process token adjusted: Debug
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\My Pictures\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\en-US\Registry.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\hYMmOtYRdhDhf.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jXtV6KO1A7.exe'	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESAFD2.tmp" "c:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe "C:\Users\Public\Documents\hYMmOtYRdhDhf.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe C:\Users\Public\Documents\hYMmOtYRdhDhf.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Users\user\Desktop\jXtV6KO1A7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Users\user\Desktop\jXtV6KO1A7.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\jXtV6KO1A7.exe	Queries volume information: C:\Users\user\Desktop\jXtV6KO1A7.exe VolumeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Queries volume information: C:\Program Files\Common Files\System\ado\en-US\Registry.exe VolumeInformation
Source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe	Queries volume information: C:\Program Files\Common Files\System\ado\en-US\Registry.exe VolumeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe VolumeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	Queries volume information: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe VolumeInformation
Source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe VolumeInformation

Source: C:\Users\user\Desktop\jXtV6KO1A7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 8828, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1634670722.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hYMmOtYRdhDhf.exe PID: 8828, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1634670722.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: jXtV6KO1A7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.jXtV6KO1A7.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\System\ado\en-US\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\hYMmOtYRdhDhf.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe, type: DROPPED

ID:	1429027
Product:	CloudBasic
Start time:	05:36:06
Start date:	20.04.2024
Sample:	jXtV6KO1A7.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	05488f673ffd2063badad75aaa0f7d83
SHA1:	15d293a62da1a91cd85fa617c49ec37457ed5c2b
SHA256:	d3fdc737b6c67b92e239b72492106972d4d599fb0b6aa83e0b5de1cba771c3ad
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Program Files\Common Files\System\ado\en-US\Registry.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	05488F673FFD2063BADAD75AAA0F7D83	15D293A62DA1A91CD85FA617C49EC37457ED5C2B	D3FDC737B6C67B92E239B72492106972D4D599FB0B6AA83E0B5DE1CBA771C3AD
C:\Program Files\Common Files\System\ado\en-US\Registry.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files\Common Files\System\ado\en-US\ee2ad38f3d4382	ASCII text, with very long lines (932), with no line terminators	DC40413ED05F62805BB2042E52EE6677	E29C6870A24789FA70DE807EE2A845E421987BFA	C5A33B0E74A81791C4766B4C2819ADA50941578D6E9AD54EE3496D134C6432EA
C:\Program Files\Windows Media Player\Media Renderer\9e8d7a4ca61bd9	ASCII text, with very long lines (760), with no line terminators	3ED754387DD378A1F08D4601F9856BCF	97203E2695A6B2FADE99B2D700A50F910B7CE118	54B1F8108131F3D56698ADF98499CA345B3A18D43BC90CA73F1649879971D810
C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	05488F673FFD2063BADAD75AAA0F7D83	15D293A62DA1A91CD85FA617C49EC37457ED5C2B	D3FDC737B6C67B92E239B72492106972D4D599FB0B6AA83E0B5DE1CBA771C3AD
C:\Program Files\Windows Media Player\Media Renderer\RuntimeBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\Public\Documents\23fc0d88861170	ASCII text, with very long lines (769), with no line terminators	88DCB3091F18D15714EA7A86F67444D2	698ABF6CDD2C95DB0D11A8F465F3A9A691D435D2	55659562074E112CD0F6E874677AB85EC7FF99BB5BD9121861AF3ADD8FC94670
C:\Users\Public\Documents\hYMmOtYRdhDhf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	05488F673FFD2063BADAD75AAA0F7D83	15D293A62DA1A91CD85FA617C49EC37457ED5C2B	D3FDC737B6C67B92E239B72492106972D4D599FB0B6AA83E0B5DE1CBA771C3AD
C:\Users\Public\Documents\hYMmOtYRdhDhf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\Public\Pictures\23fc0d88861170	ASCII text, with very long lines (334), with no line terminators	BC437C0DD545461928168EB06A0DFADF	18AC7C4FAB5FE2FFDD4872246AA7596BA428E545	6DF12658EE91484A46A5E2F97BE94E42AFF245EEB8B8AB275F4B2F13C4C330CD
C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	05488F673FFD2063BADAD75AAA0F7D83	15D293A62DA1A91CD85FA617C49EC37457ED5C2B	D3FDC737B6C67B92E239B72492106972D4D599FB0B6AA83E0B5DE1CBA771C3AD
C:\Users\Public\Pictures\hYMmOtYRdhDhf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log	CSV text	9F9FA9EFE67E9BBD165432FA39813EEA	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hYMmOtYRdhDhf.exe.log	ASCII text, with CRLF line terminators	8754EE8606838243DB62D2041DB5B769	09BEF02C7C76A250EEEC032792EF7F74961E66DA	5C95958D140BE11D69653A043D69DF7E4568C7D3EC511D5C206BE7C66F74BD13
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jXtV6KO1A7.exe.log	ASCII text, with CRLF line terminators	0C47412B6C6EF6C70D4B96E4717A5D3B	666FCC7898B52264D8A144600D7A3B0B59E39D66	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	83CC0A063AE0CE6A770449E01B262D4C	C7CE3B64EDC6EE028A45E627CF26BF4FD53B71A1	A9AEE05DF0FDCBF68D93BCDD148D152AA05DC301F6C7DA4E450C8D38AAF195AA
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\2CPXfojCPJ	ASCII text, with no line terminators	323A4E0EFC151160527D4538FC10CE89	CC347043DFE14C3318F0092A6F7AB45396482E35	70A2121DE81A9525F0B79B9604906AD1392E32AA2A9DD01A3B0680A22062C3F4
C:\Users\user\AppData\Local\Temp\RESAFD2.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Sat Apr 20 04:37:10 2024, 1st section name ".debug$S"	4A2798C32BFE571D6B7E0D9C748DB138	0D1D2671DF1FA52D69D185A22239D0069350E017	E098723CE54AA9597D960D091EE5B5C7D0EB6723D4D1BEC576F50426DFBCA824
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bekgdi1.4lq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0v53vaap.wh2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1blvv4yb.jeo.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cqfkyaa.4b3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tarwi1u.wti.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33knc5ss.j1z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gzqcoav.tqm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vj1yr3y.ok0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zyhtfhq.npo.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4h05pjmz.zwg.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hql5z42.zec.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4salabig.cei.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qpqdrg4.zwn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1abstws.hbt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ael1pako.vp2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ak2xlw32.uv3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ax5qrwna.jng.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcbpwps1.4ja.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzgqb0sk.nca.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cikbztlq.k2l.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ciobwaxa.ibs.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clkupt02.ua4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmwmb2zc.pnm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dawabxlt.ygr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dc43jbxc.uzs.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlug2blw.d40.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emzyfzde.4iq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezrjbmix.nus.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3owzepf.cxi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnjt5imw.esm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpm4ezsn.1ad.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsarkdgu.kmb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvzppiqa.kr2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h15yqcdg.sqr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2bkh1ot.ima.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_inn0f1zi.0yi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwebwwdy.hm5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j33evzrr.okc.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3bpil1f.y4z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfe4cegu.kzv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jk4cbuh3.t2o.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbmpnnyi.wdm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_levljmze.z31.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcmlnl45.skz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlkvl0xj.v35.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofixf0w5.4at.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkgqrmhs.u40.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkkwjehs.kur.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pluyswh3.mqy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_po1ns30w.jtt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwnsnjce.5ul.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfzwp4y2.ibs.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhyj45p2.puq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rg5cgvks.mex.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj4iarsk.vsw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sug20ehi.3qi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swqzo3gn.cgq.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t102uywa.nl4.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4dnavjd.mb5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thz2lbeh.yre.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tikz3kvj.rs1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt0jhncp.vwz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txyhgyyv.d1p.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udautaxk.2hi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uijbarrw.kua.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wf2kzfdc.gy4.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wll1kl1o.kl3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqefpren.4cz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbwmhl4r.uru.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmbiupug.x0i.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z4gap0gf.vck.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhfsmmkm.efq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\dlRCjeHhst.bat	DOS batch file, ASCII text, with CRLF line terminators	5A0E0C74C74DE003B141EDB1C8677F7B	41A5362534D612918C7DBF01E560A87E35097C9A	096B56ACF20EB964D42004197ECFD7B478C9AD9729516D32F268F1646F9035AD
C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.0.cs	C++ source, Unicode text, UTF-8 (with BOM) text	0B01233A9C8EBEFDE1D254234338429C	5B67297B4D9A754CF1FAABEEF86C7236BDE307A8	49E82C2E8A9D13E510F1F08225611AE70E4075BFAF83002EC5E3C9A92A58FBDD
C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.cmdline	Unicode text, UTF-8 (with BOM) text, with no line terminators	B1CCC05D478276702D468CFE0328E7BE	3439CBA3DD66E1F61002B2C5E288D18DED852137	34E3AC4B566E2365857B2A2C360E2D32BC39326AEB6486D1D29A1CB6FBC13988
C:\Users\user\AppData\Local\Temp\hoedt554\hoedt554.out	Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators	07E6BD681BF9FBBF337888D978D1A6D0	14B109841B8378A98B28ADE33092CA3966ADC224	59B3BFDA393A51AA26D9B0F6B26E5D21A47CB36EBAC14D08CB2FA1D9703BCCC5
C:\Users\user\Desktop\4f893074fe26e1	ASCII text, with very long lines (852), with no line terminators	911AE3A9A222314F2014F44A914DF8BE	4E099210646A2C5B500A5B0F570212BE1A559F50	0D2DFD4B8FBA8FC6189FDF9F367602F44F3F019E1BCB00DAB7B0966E8C40A810
C:\Users\user\Desktop\AUxWHHiO.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5EE7E079F998F80293B3467CE6A5B4AE	3C0932D48F3542E9DFB09AD9E1FF70891A038532	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
C:\Users\user\Desktop\AZuFUlyQ.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0D323E1CACEA89CAA5DDEAF2F37BCA69	4769C3E947D02A1FD548BE64013F520D571D96E1	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
C:\Users\user\Desktop\BifwrcrL.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2D6975FD1CC3774916D8FF75C449EE7B	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
C:\Users\user\Desktop\DSJnFhkO.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F4B38D0F95B7E844DD288B441EBC9AAF	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
C:\Users\user\Desktop\ESXfsmJN.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	51B1964F31C557AE8C2B01EA164ABD9F	97C6E8FD1F21D644281FAF82D017969FE22423E4	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
C:\Users\user\Desktop\FPynOmYI.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2E116FC64103D0F0CF47890FD571561E	3EF08A9B057D1876C24FC76E937CDA461FAC6071	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
C:\Users\user\Desktop\FUwWbQoJ.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0EEEA1569C7E3EBBB530E8287D7ADCF9	3C196FA10144566EBFBEE7243313314094F3A983	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
C:\Users\user\Desktop\GSXexQDE.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E4FA63649F1DBD23DE91861BB39C317D	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
C:\Users\user\Desktop\IFbmiezC.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5EE7E079F998F80293B3467CE6A5B4AE	3C0932D48F3542E9DFB09AD9E1FF70891A038532	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
C:\Users\user\Desktop\LAruMjCr.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0EEEA1569C7E3EBBB530E8287D7ADCF9	3C196FA10144566EBFBEE7243313314094F3A983	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
C:\Users\user\Desktop\LIbMrSdw.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	BBDE7073BAAC996447F749992D65FFBA	2DA17B715689186ABEE25419A59C280800F7EDDE	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
C:\Users\user\Desktop\OCediSHm.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9DADB5C8A6FD5020275C31EE6BC61D63	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
C:\Users\user\Desktop\PqilTgDk.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3601048DFB8C4A69313A593E74E5A2DE	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
C:\Users\user\Desktop\PvfTgKTl.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2D6975FD1CC3774916D8FF75C449EE7B	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
C:\Users\user\Desktop\PySDyPdp.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A4F19ADB89F8D88DBDF103878CF31608	46267F43F0188DFD3248C18F07A46448D909BF9B	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
C:\Users\user\Desktop\QjjbSXPj.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	BBDE7073BAAC996447F749992D65FFBA	2DA17B715689186ABEE25419A59C280800F7EDDE	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
C:\Users\user\Desktop\UZaSZUPd.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	51B1964F31C557AE8C2B01EA164ABD9F	97C6E8FD1F21D644281FAF82D017969FE22423E4	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
C:\Users\user\Desktop\UrhkoqJf.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9DADB5C8A6FD5020275C31EE6BC61D63	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
C:\Users\user\Desktop\UvHCLyMa.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D478E398EFCD2BD9BDBFEA958F7BEE4F	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
C:\Users\user\Desktop\WcMBvDTY.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	996BD447A16F0A20F238A611484AFE86	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
C:\Users\user\Desktop\WxtkghQV.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	00574FB20124EAFD40DC945EC86CA59C	8B96C4B6F450E711085AE7B22517C195222ACFDF	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
C:\Users\user\Desktop\bXOSCjJR.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2E116FC64103D0F0CF47890FD571561E	3EF08A9B057D1876C24FC76E937CDA461FAC6071	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
C:\Users\user\Desktop\bsvBnNGP.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E4FA63649F1DBD23DE91861BB39C317D	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
C:\Users\user\Desktop\cXcKpojQ.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F4B38D0F95B7E844DD288B441EBC9AAF	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
C:\Users\user\Desktop\eDwAwSEJ.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9CE850DB4350471A62CC24ACB83E859	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
C:\Users\user\Desktop\fNEJJgKL.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9CE850DB4350471A62CC24ACB83E859	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
C:\Users\user\Desktop\fcnjtBSI.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	00574FB20124EAFD40DC945EC86CA59C	8B96C4B6F450E711085AE7B22517C195222ACFDF	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
C:\Users\user\Desktop\gXpAgXCG.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	996BD447A16F0A20F238A611484AFE86	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
C:\Users\user\Desktop\iQFjSUoF.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8AE2B8FA17C9C4D99F76693A627307D9	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
C:\Users\user\Desktop\jBWHmcZz.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A4F19ADB89F8D88DBDF103878CF31608	46267F43F0188DFD3248C18F07A46448D909BF9B	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
C:\Users\user\Desktop\jFwZJlcu.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	240E98D38E0B679F055470167D247022	49888CCED719AE78EE3BAE2959402749668AA1C6	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
C:\Users\user\Desktop\lyyPHcot.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	240E98D38E0B679F055470167D247022	49888CCED719AE78EE3BAE2959402749668AA1C6	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
C:\Users\user\Desktop\mHjHeUgp.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0D323E1CACEA89CAA5DDEAF2F37BCA69	4769C3E947D02A1FD548BE64013F520D571D96E1	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
C:\Users\user\Desktop\nrNytZZs.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D8BF2A0481C0A17A634D066A711C12E9	7CC01A58831ED109F85B64FE4920278CEDF3E38D	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
C:\Users\user\Desktop\ptzhOIen.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3601048DFB8C4A69313A593E74E5A2DE	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
C:\Users\user\Desktop\pwmQgNor.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D8BF2A0481C0A17A634D066A711C12E9	7CC01A58831ED109F85B64FE4920278CEDF3E38D	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
C:\Users\user\Desktop\rqbpkIti.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D478E398EFCD2BD9BDBFEA958F7BEE4F	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
C:\Users\user\Desktop\sQKOYFFi.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	16B480082780CC1D8C23FB05468F64E7	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
C:\Users\user\Desktop\sefxVWpg.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8AE2B8FA17C9C4D99F76693A627307D9	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
C:\Users\user\Desktop\taSXmSLk.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	16B480082780CC1D8C23FB05468F64E7	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
C:\Users\user\Desktop\ugRfrFtb.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6CD78D07F9BD4FECC55CDB392BC5EC89	094DE32070BED60A811D983740509054AD017CE4	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
C:\Users\user\Desktop\upByWoUh.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E84DCD8370FAC91DE71DEF8DCF09BFEC	2E73453750A36FD3611D5007BBB26A39DDF5F190	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
C:\Users\user\Desktop\utbPtwXc.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6CD78D07F9BD4FECC55CDB392BC5EC89	094DE32070BED60A811D983740509054AD017CE4	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
C:\Users\user\Desktop\wetnNFIW.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0B2AFABFAF0DD55AD21AC76FBF03B8A0	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
C:\Users\user\Desktop\zXVOlHTT.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E84DCD8370FAC91DE71DEF8DCF09BFEC	2E73453750A36FD3611D5007BBB26A39DDF5F190	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
C:\Users\user\Desktop\zxAgkPgS.log	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0B2AFABFAF0DD55AD21AC76FBF03B8A0	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
C:\Windows\Logs\CBS\23fc0d88861170	ASCII text, with very long lines (325), with no line terminators	95823F03F4963D86A8AEEB1DB3C1679A	8DDC9AC793442670735ED08F4BAD66DDA09303A3	E75D860BAAA50B8DD169ACAF668FA1ADC3194472CBC94A0748454218D5375D5C
C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	05488F673FFD2063BADAD75AAA0F7D83	15D293A62DA1A91CD85FA617C49EC37457ED5C2B	D3FDC737B6C67B92E239B72492106972D4D599FB0B6AA83E0B5DE1CBA771C3AD
C:\Windows\Logs\CBS\hYMmOtYRdhDhf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\System32\CSCDDA5522436C442998F7B48C7E6412627.TMP	MSVC .res	931E1E72E561761F8A74F57989D1EA0A	B66268B9D02EC855EB91A5018C43049B4458AB16	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
C:\Windows\System32\SecurityHealthSystray.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D6675BFA12DA060B451FB7493AF5C2E2	A7B9380759FD2FC561755544CBFA7E71D13D1A4D	47A568A11716DFC49FED92A7D8392DD3D2D6369C7EE166C7196DC819346DADAB
\Device\Null	ASCII text, with CRLF line terminators	CE0B507672CF21F077BB5B1157573E57	E4E3BA916625201DEA3D67ABBA4A4F87E1C2DF87	8E585E69377E1E7CA234C4AE6E76FCFB89AF25461B55CA7097FF3D45B84DCCEB

Windows Analysis Report
jXtV6KO1A7.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report jXtV6KO1A7.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
jXtV6KO1A7.exe

Malware Threat Intel
Provided by