Loading ...

Play interactive tourEdit tour

Windows Analysis Report KAF-PR-21-F-3089_pdf.exe

Overview

General Information

Sample Name:KAF-PR-21-F-3089_pdf.exe
Analysis ID:483902
MD5:b5fdcd6723e679c54a5f8652c59bc52a
SHA1:fc83546ee73bea22ea563b9644700abef62d0ef2
SHA256:245e18b14a6b231f2a89b812dace828478aa24419d600e2ac8c7acd989320e1a
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • KAF-PR-21-F-3089_pdf.exe (PID: 4932 cmdline: 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' MD5: B5FDCD6723E679C54A5F8652C59BC52A)
    • powershell.exe (PID: 2416 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4152 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • KAF-PR-21-F-3089_pdf.exe (PID: 5760 cmdline: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe MD5: B5FDCD6723E679C54A5F8652C59BC52A)
  • xepul.exe (PID: 6464 cmdline: 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: B5FDCD6723E679C54A5F8652C59BC52A)
    • powershell.exe (PID: 7000 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7036 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • xepul.exe (PID: 7096 cmdline: C:\Users\user\AppData\Roaming\xepul\xepul.exe MD5: B5FDCD6723E679C54A5F8652C59BC52A)
  • xepul.exe (PID: 6884 cmdline: 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: B5FDCD6723E679C54A5F8652C59BC52A)
    • powershell.exe (PID: 5180 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • xepul.exe (PID: 240 cmdline: C:\Users\user\AppData\Roaming\xepul\xepul.exe MD5: B5FDCD6723E679C54A5F8652C59BC52A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000013.00000002.393930598.0000000002E22000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000001C.00000002.435693980.0000000002C11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.xepul.exe.37072a0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              23.2.xepul.exe.37072a0.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.KAF-PR-21-F-3089_pdf.exe.43972a0.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' , ParentImage: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe, ParentProcessId: 4932, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', ProcessId: 2416
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe' , ParentImage: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe, ParentProcessId: 4932, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe', ProcessId: 2416
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762203357091900.2416.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KAF-PR-21-F-3089_pdf.exeVirustotal: Detection: 30%Perma Link
                      Source: KAF-PR-21-F-3089_pdf.exeReversingLabs: Detection: 28%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\OgRWrNP.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeReversingLabs: Detection: 28%
                      Machine Learning detection for sampleShow sources
                      Source: KAF-PR-21-F-3089_pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\OgRWrNP.exeJoe Sandbox ML: detected
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.550948575.00000000032DD000.00000004.00000001.sdmp, KAF-PR-21-F-3089_pdf.exe, 00000007.00000003.518331573.00000000010A4000.00000004.00000001.sdmpString found in binary or memory: http://J3BWl3u49AqFuQ10uy.org
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551085177.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://mail.fclbd.com
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279795283.00000000032D1000.00000004.00000001.sdmp, xepul.exe, 00000013.00000002.393894687.0000000002E11000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.427903703.0000000002641000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: http://tTuraz.com
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.551350359.0000000003362000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmp, KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmp, xepul.exe, 00000013.00000002.395567488.0000000003E19000.00000004.00000001.sdmp, xepul.exe, 00000017.00000002.430188905.0000000003649000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.548284229.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: KAF-PR-21-F-3089_pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b18A51FD1u002d699Cu002d4958u002d8E15u002dD578628C0381u007d/DA178CC2u002dD6C0u002d4582u002d870Eu002d4AFCBFB3B250.csLarge array initialization: .cctor: array initializer size 11955
                      .NET source code contains very large stringsShow sources
                      Source: KAF-PR-21-F-3089_pdf.exe, Forms/mainForm.csLong String: Length: 38272
                      Source: OgRWrNP.exe.0.dr, Forms/mainForm.csLong String: Length: 38272
                      Source: 0.0.KAF-PR-21-F-3089_pdf.exe.d00000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: xepul.exe.7.dr, Forms/mainForm.csLong String: Length: 38272
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.9f0000.1.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 7.0.KAF-PR-21-F-3089_pdf.exe.9f0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 19.2.xepul.exe.8b0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 19.0.xepul.exe.8b0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 23.0.xepul.exe.2c0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E41880_2_016E4188
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E33A00_2_016E33A0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E3A980_2_016E3A98
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E7E700_2_016E7E70
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E417A0_2_016E417A
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E11280_2_016E1128
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E11190_2_016E1119
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E4B680_2_016E4B68
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E33900_2_016E3390
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E3A880_2_016E3A88
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E05C80_2_016E05C8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E05B80_2_016E05B8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E44F80_2_016E44F8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_016E4E630_2_016E4E63
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_0307C1240_2_0307C124
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_0307E5630_2_0307E563
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 0_2_0307E5700_2_0307E570
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B790F87_2_00B790F8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7D8C07_2_00B7D8C0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B772107_2_00B77210
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B757407_2_00B75740
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B727487_2_00B72748
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7B4E07_2_00B7B4E0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7EDB07_2_00B7EDB0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B71A9C7_2_00B71A9C
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00B7BEC07_2_00B7BEC0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA3CD27_2_00BA3CD2
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA0BBA7_2_00BA0BBA
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA87C07_2_00BA87C0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BA91307_2_00BA9130
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_00BABFA87_2_00BABFA8
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_010947A07_2_010947A0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_010946B07_2_010946B0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeCode function: 7_2_010946D07_2_010946D0
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_0141C12419_2_0141C124
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_0141E56119_2_0141E561
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_0141E57019_2_0141E570
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD33A019_2_02BD33A0
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD709019_2_02BD7090
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD339E19_2_02BD339E
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD408819_2_02BD4088
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD408219_2_02BD4082
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD112819_2_02BD1128
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD111919_2_02BD1119
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD05B819_2_02BD05B8
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD3D9019_2_02BD3D90
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD3D8219_2_02BD3D82
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 19_2_02BD05C819_2_02BD05C8
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6C12423_2_00B6C124
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6E57023_2_00B6E570
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6E56223_2_00B6E562
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_025933A023_2_025933A0
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259709023_2_02597090
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259339F23_2_0259339F
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259408823_2_02594088
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259408323_2_02594083
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259111923_2_02591119
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_0259112823_2_02591128
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_025905C823_2_025905C8
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_02593D9023_2_02593D90
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_02593D8323_2_02593D83
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_025905B823_2_025905B8
                      Source: KAF-PR-21-F-3089_pdf.exeBinary or memory string: OriginalFilename vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.279816896.00000000032ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.278858528.0000000000D02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISO2022Mod.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXvNxqBZmYOOkfDPzpKQLpRZPpYuDHRfG.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000000.00000002.280292651.00000000042D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exeBinary or memory string: OriginalFilename vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.532992936.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.525505401.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXvNxqBZmYOOkfDPzpKQLpRZPpYuDHRfG.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.545734745.000000000127A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exe, 00000007.00000002.527053723.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISO2022Mod.exe4 vs KAF-PR-21-F-3089_pdf.exe
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OgRWrNP.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: xepul.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: KAF-PR-21-F-3089_pdf.exeVirustotal: Detection: 30%
                      Source: KAF-PR-21-F-3089_pdf.exeReversingLabs: Detection: 28%
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile read: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeJump to behavior
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exe C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA79.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\xepul\xepul.exe'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp12EF.tmp'
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess created: C:\Users\user\AppData\Roaming\xepul\xepul.exe C:\Users\user\AppData\Roaming\xepul\xepul.exe
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Roaming\OgRWrNP.exeJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp56.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/13@0/0
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
                      Source: KAF-PR-21-F-3089_pdf.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: OgRWrNP.exe.0.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.KAF-PR-21-F-3089_pdf.exe.d00000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: xepul.exe.7.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: KAF-PR-21-F-3089_pdf.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: OgRWrNP.exe.0.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.KAF-PR-21-F-3089_pdf.exe.d00000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: xepul.exe.7.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.KAF-PR-21-F-3089_pdf.exe.9f0000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.KAF-PR-21-F-3089_pdf.exe.9f0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 19.2.xepul.exe.8b0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 19.0.xepul.exe.8b0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 23.0.xepul.exe.2c0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeCode function: 23_2_00B6F932 push esp; iretd 23_2_00B6F939
                      Source: KAF-PR-21-F-3089_pdf.exeStatic PE information: 0xF53BFD57 [Tue May 18 18:49:59 2100 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18032157411
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18032157411
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.18032157411
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Roaming\OgRWrNP.exeJump to dropped file
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile created: C:\Users\user\AppData\Roaming\xepul\xepul.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgRWrNP' /XML 'C:\Users\user\AppData\Local\Temp\tmp56.tmp'
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xepulJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xepulJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeFile opened: C:\Users\user\AppData\Roaming\xepul\xepul.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KAF-PR-21-F-3089_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\xepul\xepul.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX